Edit tour

Windows Analysis Report
2w7DKYnIeS.exe

Overview

General Information

Sample Name:	2w7DKYnIeS.exe
Original Sample Name:	8ceb009d3cee1184f0cea2cf1f2b193540c1470bfcbe3b8ee819c2d5b1ae9233.exe
Analysis ID:	1271747
MD5:	86b93d8cca249bea2659d47002b7bf64
SHA1:	5b00daf7d903ef0dea201366e0f58896511ad76d
SHA256:	8ceb009d3cee1184f0cea2cf1f2b193540c1470bfcbe3b8ee819c2d5b1ae9233
Tags:	exetoitointrojan
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Command shell drops VBS files

Queries the volume information (name, serial number etc) of a device

PE file contains sections with non-standard names

Creates a start menu entry (Start Menu\Programs\Startup)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

2w7DKYnIeS.exe (PID: 7116 cmdline: C:\Users\user\Desktop\2w7DKYnIeS.exe MD5: 86B93D8CCA249BEA2659D47002B7BF64)

cmd.exe (PID: 4532 cmdline: C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cscript.exe (PID: 4640 cmdline: cscript C:\Users\user\AppData\Local\Temp\QV.vbs MD5: 956185CAF895737F30E8EE24DEFCE8E6)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 8.8.8.8 - Destination IP: 192.168.2.3

Timestamp:	8.8.8.8192.168.2.353539752018316 07/12/23-15:12:53.636167
SID:	2018316
Source Port:	53
Destination Port:	53975
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2w7DKYnIeS.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2w7DKYnIeS.exe	ReversingLabs: Detection: 68%
Source: 2w7DKYnIeS.exe	Virustotal: Detection: 67%			Perma Link

Multi AV Scanner detection for domain / URL

Source: cartolabrasil.com

Virustotal: Detection: 14%

Perma Link

Source: 2w7DKYnIeS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\sdsdsdsds.pdb7 source: 2w7DKYnIeS.exe
Source:	Binary string: F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\sdsdsdsds.pdb source: 2w7DKYnIeS.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2018316 ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses 8.8.8.8:53 -> 192.168.2.3:53975

Source: unknown

DNS traffic detected: query: cartolabrasil.com replaycode: Name error (3)

Source: unknown

DNS traffic detected: queries for: cartolabrasil.com

Source: 2w7DKYnIeS.exe	ReversingLabs: Detection: 68%
Source: 2w7DKYnIeS.exe	Virustotal: Detection: 67%

Source: 2w7DKYnIeS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2w7DKYnIeS.exe C:\Users\user\Desktop\2w7DKYnIeS.exe
Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\AppData\Local\Temp\QV.vbs
Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\AppData\Local\Temp\QV.vbs	Jump to behavior

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: StorYBook.lnk.5.dr

LNK file: ..\..\..\..\..\..\..\..\Public\Documents\har\StorYBook.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_01
Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	Mutant created: \Sessions\1\BaseNamedObjects\@

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\AppData\Local\Temp\QV.vbs

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

File created: C:\Users\user\AppData\Roaming\241773.log

Jump to behavior

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

File created: C:\Users\user\AppData\Local\Temp\DI.bat

Jump to behavior

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

File written: C:\Users\Public\Documents\377142.ini

Jump to behavior

Source: classification engine

Classification label: mal76.winEXE@6/4@7/0

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 2w7DKYnIeS.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2w7DKYnIeS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2w7DKYnIeS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2w7DKYnIeS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\sdsdsdsds.pdb7 source: 2w7DKYnIeS.exe
Source:	Binary string: F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\sdsdsdsds.pdb source: 2w7DKYnIeS.exe

Source: 2w7DKYnIeS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2w7DKYnIeS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2w7DKYnIeS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2w7DKYnIeS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2w7DKYnIeS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 2w7DKYnIeS.exe

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\QV.vbs

Jump to behavior

Source: C:\Windows\System32\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk

Jump to behavior

Source: C:\Windows\System32\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk

Jump to behavior

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\2w7DKYnIeS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\AppData\Local\Temp\QV.vbs			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Scripting	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	2 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Scripting	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2w7DKYnIeS.exe	68%	ReversingLabs	Win64.Trojan.Malgent
2w7DKYnIeS.exe	68%	Virustotal		Browse
2w7DKYnIeS.exe	100%	Avira	HEUR/AGEN.1319798

Source	Detection	Scanner	Label	Link
cartolabrasil.com	14%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cartolabrasil.com	unknown	unknown	false	14%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1271747
Start date and time:	2023-07-12 15:11:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	2w7DKYnIeS.exe
Original Sample Name:	8ceb009d3cee1184f0cea2cf1f2b193540c1470bfcbe3b8ee819c2d5b1ae9233.exe
Detection:	MAL
Classification:	mal76.winEXE@6/4@7/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:12:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk

Process:	C:\Users\user\Desktop\2w7DKYnIeS.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (1172), with no line terminators
Category:	dropped
Size (bytes):	1175
Entropy (8bit):	2.2236530552746743
Encrypted:	false
SSDEEP:	24:i5wPkEWB8VIFiRemEn8MwfR+aKhRemEn8MwfR+agPOxRemEn8MwfR+akkHaRemE9:SB8ZRemE8MwklRemE8MwkNsRemE8Mwk+
MD5:	0F1092401C2129A16901A9743AF9CE06
SHA1:	009FA917EA86DE34A1A28AF1AABD0D2B244D209F
SHA-256:	0F7BD6F924483D6FBE8E74384D23EE851B55760D5C33613277D09F58251E6D21
SHA-512:	75F4C6F8435D59EAFE0BFFF520981E4D6603EF1826FB6D406EA18B542DEAE3906008E320B3C1C3F2A9B31FFC8D8C04D782F353857758B88DED2FBB88F718182E
Malicious:	false
Reputation:	low
Preview:	.A36332C4C455E4A35332C4C455E4A3433233633393435333033363334343533393336343233393334343633323331333333343337333833373433333433303338333533383338343234333335333033333335343434363330333633333436333633363434343534323337343334343334333733353339333233333337343134343331333134323336333234343432343533313335333434323338343333383432343434363337343534343431333334323432343333313434333434353436333033313331333433353338333534333432333034323334343533383332343333353A333323313A32332233333133314433333145334735373336353732373335334530373536323633463936333533443436364633373536344635363547343733353346383631373235334638363137323634373142354631473036373233333233314433333145334735373336353732373335334530373536323633463936333533443436364633373536344635363547343733353346383631373235334435453537383436323547383634463342333333333144333331453347353733363537323733353345303735363236334639363335334434363646333735363446353635473437333533463836313732353345333734363647323539343236364636463242354635373836353233333433314433

C:\Users\user\AppData\Local\Temp\DI.bat

Download File

Process:	C:\Users\user\Desktop\2w7DKYnIeS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	550
Entropy (8bit):	5.063355196726733
Encrypted:	false
SSDEEP:	12:Mt+OJsmWe9MgMHSuVM1t254gsmWY7drOsmWlgsmHrosmzJugsmy:q+igxEuVMO4ggudrOglgp0qg0
MD5:	213F72B3D9ADE0D27802B6C2EB81F0CE
SHA1:	841416DE65243491149B88BD8DA54A6C1022C071
SHA-256:	28B0981BE9652721B5F521BACC38DCDF4814761F3FD45C67CC0138627CAE0FEA
SHA-512:	2E6CFAB45295A5E8FDE6D3161CAE082DB5F596917D6EF0AD01C2D5254919E90FE80A05E06988938F802733260B6FF0DAD2D052D91E52FA6E5FBF5A7D12ECEA9A
Malicious:	false
Reputation:	low
Preview:	echo Set oWS = WScript.CreateObject("WScript.Shell") > C:\Users\user\AppData\Local\Temp\QV.vbs ..echo Set oLink = oWS.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk") >> C:\Users\user\AppData\Local\Temp\QV.vbs ..echo oLink.TargetPath = "C:\users\Public\Documents\har\StorYBook.exe" >> C:\Users\user\AppData\Local\Temp\QV.vbs ..echo oLink.Save >> C:\Users\user\AppData\Local\Temp\QV.vbs ..cscript C:\Users\user\AppData\Local\Temp\QV.vbs ..del C:\Users\user\AppData\Local\Temp\QV.vbs ..

C:\Users\user\AppData\Local\Temp\QV.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	261
Entropy (8bit):	5.000125467830756
Encrypted:	false
SSDEEP:	6:jpN+ZzMgFWXp+NaZ5SuH1MUmt28MULOLCUc7H9dC+FBHLOLYq:L+ZzMgMHSuVM1t25SO+7dr7OB
MD5:	BC06A4C5F986149831E93CEFFCECAADF
SHA1:	D77D905FA05D5757FF289AC9BFAF8276216423E3
SHA-256:	41D1463402C46CC0B601C19177CAE81F04A24202BBA5025E7BE4EDFDF347A579
SHA-512:	F124CB49C11339F9D5BFF54B534C01F937A64A57EE4E12A109BD27C4F1BBBD807B8EA1F0D0078092CB9C63480A75F31DF1F4B074388D5D3F481F7735B9ED9479
Malicious:	true
Reputation:	low
Preview:	Set oWS = WScript.CreateObject("WScript.Shell") ..Set oLink = oWS.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk") ..oLink.TargetPath = "C:\users\Public\Documents\har\StorYBook.exe" ..oLink.Save ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk

Download File

Process:	C:\Windows\System32\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	878
Entropy (8bit):	3.076477322904048
Encrypted:	false
SSDEEP:	12:8gl0jsXtyd9CVJEIy/ii1pY9zPGI032vPegvmNJS4t2Y+xIBjK:809mXgl0Gu8CJO7aB
MD5:	BE9108B8015959E67CBC8B5377EA35A7
SHA1:	0C072ECF2A7C9731E242C5770DFC3E7B7F5A813C
SHA-256:	6A547AF5CD43C74641AA8A14F0822E06864E563804BB9BADF711719C1EB03C59
SHA-512:	40DAB1FC15B600D5184466BD5920E8DB4B1FC70CF490A027E1311CF6C57EB0926B709E818031D77B574194677A46526246A0D9F6C1218AE8FCD1D06CD39064F0
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........users.<............................................u.s.e.r.s.....T.1...........Public..>............................................P.u.b.l.i.c.....\.1...........Documents.D............................................D.o.c.u.m.e.n.t.s.....J.1...........har.8............................................h.a.r.....h.2...........StorYBook.exe.L............................................S.t.o.r.Y.B.o.o.k...e.x.e.......:.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.D.o.c.u.m.e.n.t.s.\.h.a.r.\.S.t.o.r.Y.B.o.o.k...e.x.e.............-............$H...E...ye.64-...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.067192906935069
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2w7DKYnIeS.exe
File size:	875'520 bytes
MD5:	86b93d8cca249bea2659d47002b7bf64
SHA1:	5b00daf7d903ef0dea201366e0f58896511ad76d
SHA256:	8ceb009d3cee1184f0cea2cf1f2b193540c1470bfcbe3b8ee819c2d5b1ae9233
SHA512:	c69a7641f4e38d8cd7d4ec6b048cde4a922eee0866aa4b9660a28e0e807bf88bbe4b3943168012ab47f1dff65e80772bb115edf93cdb36892ad79f59b77feda5
SSDEEP:	12288:Rgi0cO/aRB7kBfqQqVw2yJ5rcQm6dTxqooWjrARw75WSaLpG/4YBZRyIL9oI0+IQ:6i0vTcSaLpG/4AZfBT0+ImiMRUIb9/G0
TLSH:	1915BE1E739801F8E167D139C9861902E7B97846237257AF43B187AB2F676B05F3E321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....j...j...j..D....j..D....j..D....j.......j.......j......Zj..D....j...j...j.......j.......j.......j..Rich.j..........PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140043bd4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645A584F [Tue May 9 14:27:27 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	73d189c842cb51c1f0d99b6e94ba6f52

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5FBCC9DC44h
dec eax
add esp, 28h
jmp 00007F5FBCC9D53Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5FBCC9D6D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5FBCC9D6D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5FBCC9D6CDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5FBCC9CBF2h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x95c14	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9c000	0x4374	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa3000	0xda8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8b610	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8b680	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8b4d0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x73000	0x360	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x71e04	0x72000	False	0.44740482798793857	data	6.439039437731737	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x73000	0x23788	0x23800	False	0.4778897997359155	data	5.5611749854584485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x97000	0x4dfc	0x2200	False	0.14418658088235295	DOS executable (block device driver)	3.6639591051308513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9c000	0x4374	0x4400	False	0.48190487132352944	data	5.881001375890815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xa1000	0x15c	0x200	False	0.40625	data	3.3136710739091804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x1e0	0x200	False	0.525390625	data	4.69492069540085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa3000	0xda8	0xe00	False	0.4681919642857143	data	5.392358840650056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa2060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenA, InternetOpenUrlA
KERNEL32.dll	RtlPcToFileHeader, SetEndOfFile, HeapSize, CreateFileW, SetStdHandle, CreateMutexW, LCIDToLocaleName, GetLastError, GetUserDefaultLCID, CloseHandle, WideCharToMultiByte, GetComputerNameA, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, GetLocaleInfoEx, LCMapStringEx, GetStringTypeW, CompareStringEx, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, WriteConsoleW, RaiseException, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RtlUnwind, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, EnumSystemLocalesW, ReadFile, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation
SHELL32.dll	SHCreateDirectoryExW, SHGetFolderPathA, ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
8.8.8.8192.168.2.353539752018316 07/12/23-15:12:53.636167	UDP	2018316	ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	53975	8.8.8.8	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2023 15:12:53.227911949 CEST	52387	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.256798983 CEST	53	52387	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.308449030 CEST	56924	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.329137087 CEST	53	56924	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.386768103 CEST	60625	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.416307926 CEST	53	60625	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.472980976 CEST	49302	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.501493931 CEST	53	49302	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.612763882 CEST	53975	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.636167049 CEST	53	53975	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.701622009 CEST	51139	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.716465950 CEST	53	51139	8.8.8.8	192.168.2.3
Jul 12, 2023 15:12:53.853107929 CEST	52955	53	192.168.2.3	8.8.8.8
Jul 12, 2023 15:12:53.876625061 CEST	53	52955	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 12, 2023 15:12:53.227911949 CEST	192.168.2.3	8.8.8.8	0x266	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.308449030 CEST	192.168.2.3	8.8.8.8	0x91ce	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.386768103 CEST	192.168.2.3	8.8.8.8	0xf244	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.472980976 CEST	192.168.2.3	8.8.8.8	0xe3f6	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.612763882 CEST	192.168.2.3	8.8.8.8	0x1d5e	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.701622009 CEST	192.168.2.3	8.8.8.8	0xade1	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.853107929 CEST	192.168.2.3	8.8.8.8	0x8bff	Standard query (0)	cartolabrasil.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 12, 2023 15:12:53.256798983 CEST	8.8.8.8	192.168.2.3	0x266	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.329137087 CEST	8.8.8.8	192.168.2.3	0x91ce	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.416307926 CEST	8.8.8.8	192.168.2.3	0xf244	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.501493931 CEST	8.8.8.8	192.168.2.3	0xe3f6	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.636167049 CEST	8.8.8.8	192.168.2.3	0x1d5e	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.716465950 CEST	8.8.8.8	192.168.2.3	0xade1	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false
Jul 12, 2023 15:12:53.876625061 CEST	8.8.8.8	192.168.2.3	0x8bff	Name error (3)	cartolabrasil.com	none	none	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• 2w7DKYnIeS.exe
• cmd.exe
• conhost.exe
• cscript.exe

Click to jump to process

Memory Usage

• 2w7DKYnIeS.exe
• cmd.exe
• conhost.exe
• cscript.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	15:12:21
Start date:	12/07/2023
Path:	C:\Users\user\Desktop\2w7DKYnIeS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\2w7DKYnIeS.exe
Imagebase:	0x7ff66ea90000
File size:	875'520 bytes
MD5 hash:	86B93D8CCA249BEA2659D47002B7BF64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	15:12:52
Start date:	12/07/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\DI.bat
Imagebase:	0x7ff707bb0000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	15:12:52
Start date:	12/07/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	15:12:52
Start date:	12/07/2023
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript C:\Users\user\AppData\Local\Temp\QV.vbs
Imagebase:	0x7ff6acdb0000
File size:	164'352 bytes
MD5 hash:	956185CAF895737F30E8EE24DEFCE8E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2w7DKYnIeS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\377142.ini

C:\Users\user\AppData\Local\Temp\DI.bat

C:\Users\user\AppData\Local\Temp\QV.vbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StorYBook.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
2w7DKYnIeS.exe