Edit tour

Windows Analysis Report
winvnc.exe

Overview

General Information

Sample Name:	winvnc.exe
Analysis ID:	1320270
MD5:	7cd339f9be1417421acf8790c9738922
SHA1:	c25eff4d9d2d5b55f1cc4ffc623354004565e8b9
SHA256:	ec0ec7ce8ef71cb7e7d1c2418c47ad94cea8833db8578ccdf94271f8efed38d3
Tags:	exe

Detection

Score:	11
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains VNC / remote desktop functionality (version string found)

May use bcdedit to modify the Windows boot settings

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

winvnc.exe (PID: 7004 cmdline: C:\Users\user\Desktop\winvnc.exe MD5: 7CD339F9BE1417421ACF8790C9738922)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: winvnc.exe

Static PE information: certificate valid

Source: winvnc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: winvnc.exe
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: winvnc.exe

Source: winvnc.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: _02621E4.RSA	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: _02621E4.RSA	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: winvnc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: winvnc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: winvnc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: winvnc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: winvnc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: winvnc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: winvnc.exe	String found in binary or memory: http://forum.uvnc.com
Source: winvnc.exe	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: winvnc.exe	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: winvnc.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: winvnc.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: _02621E4.RSA	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: winvnc.exe	String found in binary or memory: http://www.uvnc.com
Source: winvnc.exe	String found in binary or memory: http://www.uvnc.comhttp://forum.uvnc.comnet
Source: winvnc.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: _02621E4.RSA	String found in binary or memory: https://www.globalsign.com/repository/0
Source: _02621E4.RSA	String found in binary or memory: https://www.globalsign.com/repository/03
Source: winvnc.exe	String found in binary or memory: https://www.uvnc.com

Source: winvnc.exe

Binary or memory string: OriginalFilename vs winvnc.exe

Source: winvnc.exe	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: winvnc.exe	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: winvnc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\winvnc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\winvnc.exe

Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\winvnc.exe

File created: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: winvnc.exe	String found in binary or memory: -install
Source: winvnc.exe	String found in binary or memory: -startservice
Source: winvnc.exe	String found in binary or memory: -settings-uninstall-install-securityeditor-startservice
Source: winvnc.exe	String found in binary or memory: -settings-uninstall-install-securityeditor-startservice
Source: winvnc.exe	String found in binary or memory: -stopservice
Source: winvnc.exe	String found in binary or memory: -stopreconnect
Source: winvnc.exe	String found in binary or memory: -startservicehelper
Source: winvnc.exe	String found in binary or memory: -installhelper
Source: winvnc.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: winvnc.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: winvnc.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: winvnc.exe	String found in binary or memory: -stopservicehelper
Source: winvnc.exe	String found in binary or memory: -dsmplugininstance-id:VM/CMS.-securityeditor-delsoftwarecad-openhomepage-stopservicehelper
Source: winvnc.exe	String found in binary or memory: -settingshelper-startservice-service_run-softwarecad-run-connectstored
Source: winvnc.exe	String found in binary or memory: -stopservice-rebootforce-service_rdp_runAmigaAtheOS
Source: winvnc.exe	String found in binary or memory: -installdriver
Source: winvnc.exe	String found in binary or memory: -dsmpluginhelperTheosaccess$-installdriver-inifilelocalshrunk
Source: winvnc.exe	String found in binary or memory: winvnc [-sc_prompt] [-sc_exit] [-id:????] [-stopreconnect][-autoreconnect[ ID:????]] [-connect host[:display]] [-connect host[::port]] [-repeater host[:port]] [-inifile ????] [-run]
Source: winvnc.exe	String found in binary or memory: wwinvnc [-sc_prompt] [-sc_exit] [-id:????] [-stopreconnect][-autoreconnect[ ID:????]] [-connect host[:display]] [-connect host[::port]] [-repeater host[:port]] [-inifile ????] [-run]
Source: winvnc.exe	String found in binary or memory: -installhelper
Source: winvnc.exe	String found in binary or memory: -stopservicehelper
Source: winvnc.exe	String found in binary or memory: -startservicehelper
Source: winvnc.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done
Source: winvnc.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done
Source: winvnc.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done

Source: C:\Users\user\Desktop\winvnc.exe

File written: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: classification engine

Classification label: clean11.troj.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\winvnc.exe

File read: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK
Source: C:\Users\user\Desktop\winvnc.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\winvnc.exe	Window detected: Number of UI elements: 75

Source: winvnc.exe

Static file information: File size 3011528 > 1048576

Source: winvnc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: winvnc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: winvnc.exe

Static PE information: certificate valid

Source: winvnc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x178c00

Source: winvnc.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winvnc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: winvnc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: winvnc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: winvnc.exe
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: winvnc.exe

Source: winvnc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winvnc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winvnc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winvnc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winvnc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\winvnc.exe	Code function: 0_2_00007FF612164566 push 60F5C5F1h; iretd	0_2_00007FF61216456E
Source: C:\Users\user\Desktop\winvnc.exe	Code function: 0_2_00007FF612164A14 push 6FFDC5D5h; iretd	0_2_00007FF612164A1A
Source: C:\Users\user\Desktop\winvnc.exe	Code function: 0_2_00007FF612164EC4 push 6FFDC5CAh; ret	0_2_00007FF612164ECA
Source: C:\Users\user\Desktop\winvnc.exe	Code function: 0_2_00007FF612164F10 push 6FFDC5C3h; iretd	0_2_00007FF612164F16

Source: winvnc.exe

Static PE information: section name: _RDATA

Source: winvnc.exe	Binary or memory string: bcdedit.exe
Source: winvnc.exe	Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Users\user\Desktop\winvnc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\winvnc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\winvnc.exe TID: 560

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\winvnc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: winvnc.exe	Binary or memory string: , (Hyper-V Tools)
Source: winvnc.exe	Binary or memory string: , (Hyper-V Server)
Source: winvnc.exe	Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: winvnc.exe, 00000000.00000002.2026929062.0000026FC0F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn

Source: winvnc.exe	Binary or memory string: Program Manager
Source: winvnc.exe	Binary or memory string: Shell_TrayWnd
Source: winvnc.exe	Binary or memory string: Progman
Source: winvnc.exe	Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: winvnc.exe	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncdesktop.cpp : ~vncDesktop

Source: C:\Users\user\Desktop\winvnc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\winvnc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\winvnc.exe

Code function: 0_2_00007FF6122933A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6122933A8

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: RfbProto.class

String found in binary or memory: RFB 003.003

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	Data from Local System	Exfiltration Over Other Network Medium	1 Remote Access Software	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Bootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
winvnc.exe	5%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://www.uvnc.comhttp://forum.uvnc.comnet	0%	Avira URL Cloud	safe
http://java.sun.com/products/plugin/index.html#download	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.uvnc.com	winvnc.exe	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	winvnc.exe	false	URL Reputation: safe	unknown
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	winvnc.exe	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	winvnc.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	winvnc.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	winvnc.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	winvnc.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	winvnc.exe	false	URL Reputation: safe	unknown
http://www.uvnc.comhttp://forum.uvnc.comnet	winvnc.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	winvnc.exe	false	URL Reputation: safe	unknown
https://www.uvnc.com	winvnc.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	winvnc.exe	false	URL Reputation: safe	unknown
http://java.sun.com/products/plugin/index.html#download	winvnc.exe	false	Avira URL Cloud: safe	unknown
http://forum.uvnc.com	winvnc.exe	false		high

World Map of Contacted IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1320270
Start date and time:	2023-10-05 14:58:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	winvnc.exe
Detection:	CLEAN
Classification:	clean11.troj.winEXE@1/1@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, Sgrmuserer.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com
Execution Graph export aborted for target winvnc.exe, PID 7004 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: winvnc.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\UltraVNC.ini

Download File

Process:	C:\Users\user\Desktop\winvnc.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	1405
Entropy (8bit):	5.136971285956235
Encrypted:	false
SSDEEP:	24:fJhFXNTxYgMaIUSlAdo9g9iWLseeiI2/rCcXUOFarxbgc8Gy9AJu5U7gyzn:fJzr8LUUAdTkee72/rCUUOoxMNR9i5z
MD5:	6DC1F86CBAB037EAB31C5AC9B08B7E50
SHA1:	DAEFDF1CCB059D4BCC9B553012E2E3AE989E98AB
SHA-256:	CF12B4142FAE32ABE24B8D17169F1A506669161D57C6569CE5817037F10926A4
SHA-512:	2703DDA4F77E57BBBA5C9E98D2BC0D74B49D7AC24EA6E6B172CB8FF8B500FB57D3C31ED3BAD868A88BEBC1FB9ECEC4E31102D9411F296B7279B9D744830F4154
Malicious:	false
Reputation:	low
Preview:	[Permissions]..[admin]..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=1..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..primary=1..secondary=0..SocketConnect=1..HTTPConnect=1..AutoPortSelect=1..InputsEnabled=1..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..EnableUnicodeInput=0..EnableWin8Helper=0..QuerySetting=2..QueryTimeout=10..QueryDisableTime=0..QueryAccept=0..MaxViewerSetting=0..MaxViewers=128..Collabo=0..Frame=0..Notification=0..OSD=0..NotificationSelection=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..DebugMode=0..Avilog=0..path=C:\Users\user\Desktop..DebugLevel=0..AllowLoopback=1..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowInjection=0..AllowEditClients=1..FileTransferTimeout=30..KeepAliveInterval=5..IdleInputTimeout=0..DisableTrayIcon=0..rdpmode=0..noscreensaver=0..Secure=0..MSLogonRequired=0..NewMSLogon=0..ReverseAuthRequired=1..ConnectPriority=0..service_commandline=..accept_reject_mesg

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.591355888492954
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	winvnc.exe
File size:	3'011'528 bytes
MD5:	7cd339f9be1417421acf8790c9738922
SHA1:	c25eff4d9d2d5b55f1cc4ffc623354004565e8b9
SHA256:	ec0ec7ce8ef71cb7e7d1c2418c47ad94cea8833db8578ccdf94271f8efed38d3
SHA512:	f118ea660a51ff38abc20a9ad16f6505cf8a862df1b564829d9af06710e0c4b91d0abbedc4b852696acf0e807a25138d82c2fc518cd54c32dba92f513467b411
SSDEEP:	49152:vAOdl4d7NHNUb75uEEbOyYWHxL9X5zT/dPUAUA/JH:El8DFWHTN
TLSH:	1AD55A16AA50989AD3A28474CD56CA76D7723C1D43F642F331E4BED73B3BA913A36301
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........Ad..Ad..Ad......Ld.......d......Sd..'.~.Nd......Rd......Md.......d......fd......Ld..Ad..Zd......@d..Ad..Tf......Zd.......d.

File Icon


Icon Hash:	51ce8ecccc8ef045

Static PE Info

General

Entrypoint:	0x140132ebc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x643AC151 [Sat Apr 15 15:22:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	310b1cc8abef97edfcabf0ed406947cf

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	23/09/2022 02:00:00 23/09/2025 01:59:59
Subject Chain	CN=uvnc bvba, O=uvnc bvba, S=Antwerpen, C=BE
Version:	3
Thumbprint MD5:	9DD4D820F2BD4C1E19D0B58E87D2E5E8
Thumbprint SHA-1:	ADC749D2F75F158C8218857FF187F81B97B3872A
Thumbprint SHA-256:	CAB069B8C7CB68F49FA0E8DCF3BECFDE320F4A241E571C2741B701EB0EC1B833
Serial:	4C03670A31E62B9FACB9D2D37039BD07

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F17848B6D18h
dec eax
add esp, 28h
jmp 00007F17848B66AFh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F17848B6842h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F17848B6845h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F17848B683Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F17848B5E7Ah
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F17848B5BBBh
dec eax
lea edx, dword ptr [000CF73Fh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F17848B8ADAh
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F178479879Bh
dec eax
lea edx, dword ptr [000CFA27h]
dec eax
lea ecx, dword ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x202b00	0x4dc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x202fdc	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b2000	0xc8328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2a5000	0xbb98	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2dcc00	0x27c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37b000	0x1240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1eb7a0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1eb980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1eb800	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17a000	0xfa0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x178a20	0x178c00	False	0.4302862682481752	data	6.547312417626284	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17a000	0x8c2da	0x8c400	False	0.23794180314171123	data	5.3447528842875185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x207000	0x9d550	0x2200	False	0.20323988970588236	DOS executable (block device driver \322f\324\377\3772)	3.0315124359800243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2a5000	0xbb98	0xbc00	False	0.4939328457446808	data	6.225012673580742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x2b1000	0xf4	0x200	False	0.296875	data	2.416915977417612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2b2000	0xc8328	0xc8400	False	0.3305182486735331	data	5.996399704511186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37b000	0x1240	0x1400	False	0.3951171875	data	5.258512641319918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x2d1830	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2d1810	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2d1828	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2d1820	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2d1818	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2d1838	0x2	data	English	United States	5.0
JAVAARCHIVE	0x2bf720	0x120ed	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	0.9881836003515176
JAVAARCHIVE	0x2d5140	0x120bf	Zip archive data, at least v2.0 to extract, compression method=deflate	Dutch	Belgium	0.9881897752945792
RT_CURSOR	0x2b70d0	0x134	data	English	United States	0.3961038961038961
RT_CURSOR	0x2b7220	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2b7358	0xcac	data	English	United States	0.016029593094944512
RT_CURSOR	0x2b8030	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2b8168	0xcac	data	English	United States	0.07860665844636251
RT_CURSOR	0x2b8e40	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2b8f78	0xcac	data	English	United States	0.07860665844636251
RT_CURSOR	0x2b9c50	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2b9d88	0xcac	data	English	United States	0.06966707768187423
RT_CURSOR	0x2baa60	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2bab98	0xcac	data	English	United States	0.07644882860665844
RT_CURSOR	0x2bb870	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2bb9a8	0xcac	data	English	United States	0.07644882860665844
RT_CURSOR	0x2bc680	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2bc7b8	0xcac	data	English	United States	0.07706535141800247
RT_CURSOR	0x2bd490	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2bd5c8	0xcac	data	English	United States	0.07274969173859433
RT_CURSOR	0x2be2a0	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2be3d8	0xcac	data	English	United States	0.0752157829839704
RT_BITMAP	0x2d1840	0x3028	Device independent bitmap graphic, 64 x 64 x 24, image size 12288, resolution 2835 x 2835 px/m	Dutch	Belgium	0.4681213497728748
RT_BITMAP	0x2b3470	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.11386138613861387
RT_BITMAP	0x2b3798	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.1150990099009901
RT_BITMAP	0x2b3ac0	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.11262376237623763
RT_BITMAP	0x2d4868	0x39c	Device independent bitmap graphic, 17 x 17 x 24, image size 0, resolution 3780 x 3780 px/m	Dutch	Belgium	0.724025974025974
RT_BITMAP	0x2b30d0	0x39c	Device independent bitmap graphic, 17 x 17 x 24, image size 0, resolution 3780 x 3780 px/m			0.7207792207792207
RT_ICON	0x2e7200	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Dutch	Belgium	0.6095415778251599
RT_ICON	0x2e80a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Dutch	Belgium	0.7540613718411552
RT_ICON	0x2e8950	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Dutch	Belgium	0.7292626728110599
RT_ICON	0x2e9018	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Dutch	Belgium	0.5267341040462428
RT_ICON	0x2e9580	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Dutch	Belgium	0.13207533213007072
RT_ICON	0x32b5a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Dutch	Belgium	0.5340248962655602
RT_ICON	0x32db50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Dutch	Belgium	0.649859287054409
RT_ICON	0x32ebf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Dutch	Belgium	0.7213114754098361
RT_ICON	0x32f580	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Dutch	Belgium	0.8147163120567376
RT_ICON	0x32fa70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Dutch	Belgium	0.6010127931769723
RT_ICON	0x330918	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Dutch	Belgium	0.759927797833935
RT_ICON	0x3311c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Dutch	Belgium	0.7695852534562212
RT_ICON	0x331888	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Dutch	Belgium	0.5397398843930635
RT_ICON	0x331df0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Dutch	Belgium	0.13159082167056246
RT_ICON	0x373e18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Dutch	Belgium	0.5381742738589211
RT_ICON	0x3763c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Dutch	Belgium	0.6515009380863039
RT_ICON	0x377468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Dutch	Belgium	0.7295081967213115
RT_ICON	0x377df0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Dutch	Belgium	0.8138297872340425
RT_MENU	0x2bf420	0x296	Matlab v4 mat-file (little endian) &, numeric, rows 7602320, columns 6357106, imaginary	English	United States	0.44108761329305135
RT_MENU	0x2bf6b8	0x68	Matlab v4 mat-file (little endian) &, numeric, rows 7602320, columns 6357106, imaginary	English	United States	0.8173076923076923
RT_DIALOG	0x2b6e18	0x2b4	data	English	United States	0.49710982658959535
RT_DIALOG	0x2b4bd0	0x608	data	English	United States	0.4378238341968912
RT_DIALOG	0x2b4190	0x636	data	English	United States	0.39119496855345914
RT_DIALOG	0x2b47c8	0x194	data	English	United States	0.5767326732673267
RT_DIALOG	0x2b4960	0x26a	data	English	United States	0.4854368932038835
RT_DIALOG	0x2b3de8	0x174	data	English	United States	0.5860215053763441
RT_DIALOG	0x2b3f60	0x22c	data	English	United States	0.48381294964028776
RT_DIALOG	0x2d4c08	0x532	data	Dutch	Belgium	0.37819548872180453
RT_DIALOG	0x2b51d8	0x19ae	data	English	United States	0.33799817462731974
RT_DIALOG	0x2b6b88	0x28a	data	English	United States	0.44153846153846155
RT_STRING	0x3782e0	0x174	data	English	United States	0.5080645161290323
RT_STRING	0x378458	0x2a2	Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0	English	United States	0.35756676557863504
RT_STRING	0x378700	0x8d6	data	English	United States	0.268788682581786
RT_STRING	0x378fd8	0x8c4	data	English	United States	0.3270944741532977
RT_STRING	0x3798a0	0x6fc	data	English	United States	0.3529082774049217
RT_GROUP_CURSOR	0x2be278	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2bd468	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2bc658	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2b8008	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9411764705882353
RT_GROUP_CURSOR	0x2bb848	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2baa38	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2b9c28	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2b8e18	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2bf088	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x2b7208	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_ICON	0x32f9e8	0x84	data	Dutch	Belgium	0.6818181818181818
RT_GROUP_ICON	0x378258	0x84	data	Dutch	Belgium	0.6742424242424242
RT_VERSION	0x2bf0b0	0x36c	data	English	United States	0.4417808219178082
RT_MANIFEST	0x379fa0	0x387	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.40420819490586934

Imports

DLL	Import
WS2_32.dll	setsockopt, getsockopt, WSAGetLastError, gethostbyname, inet_ntoa, htons, htonl, WSACleanup, __WSAFDIsSet, accept, bind, WSAIoctl, closesocket, select, shutdown, listen, WSAStartup, getpeername, inet_addr, getsockname, send, socket, connect, recv, ntohl, WSASendTo, gethostname
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
USERENV.dll	ExpandEnvironmentStringsForUserA, DestroyEnvironmentBlock, CreateEnvironmentBlock
KERNEL32.dll	WritePrivateProfileStringA, GetPrivateProfileStructA, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileSectionA, CreateFileMappingA, Sleep, CreateThread, MulDiv, VerSetConditionMask, VerifyVersionInfoW, ReadFile, WriteFile, OutputDebugStringA, WaitForMultipleObjects, GetEnvironmentVariableA, WaitForSingleObject, CreateFileW, GetSystemDirectoryW, SetCurrentDirectoryA, lstrcatW, LoadLibraryW, SetFileAttributesA, CreateEventA, WaitNamedPipeW, GetExitCodeProcess, ResumeThread, ResetEvent, CompareFileTime, CreateFileA, GetFileSize, GetFileTime, GetStdHandle, WriteConsoleA, FreeConsole, FormatMessageA, AllocConsole, GetExitCodeThread, MoveFileA, GetDriveTypeA, SetFileTime, SetErrorMode, SetFilePointer, SetEndOfFile, GetFileAttributesA, MoveFileExA, FileTimeToSystemTime, GetLogicalDriveStringsA, SystemTimeToFileTime, CreateDirectoryA, GetSystemTime, FlushFileBuffers, TerminateProcess, VirtualAllocEx, ReadProcessMemory, SetThreadExecutionState, VirtualFreeEx, TerminateThread, SizeofResource, FindResourceA, LockResource, LoadResource, CreateMutexA, ReleaseMutex, GlobalGetAtomNameA, GlobalDeleteAtom, GetModuleHandleW, SetProcessShutdownParameters, WinExec, WritePrivateProfileStructA, HeapReAlloc, RaiseException, FreeLibraryAndExitThread, ExitThread, GetFullPathNameW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetEnvironmentVariableW, GetCPInfo, SetStdHandle, SetFilePointerEx, ReadConsoleW, GetTimeZoneInformation, GetConsoleMode, GetConsoleOutputCP, GetModuleHandleExW, ExitProcess, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileInformationByHandle, GetDriveTypeW, LoadLibraryExW, RtlUnwind, EncodePointer, RtlPcToFileHeader, RtlUnwindEx, OutputDebugStringW, InitializeSListHead, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateSemaphoreA, TlsFree, TlsGetValue, TlsAlloc, GetCurrentThread, DuplicateHandle, SetThreadPriority, ReleaseSemaphore, TlsSetValue, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, SwitchToThread, GetFileType, lstrcatA, lstrcmpiA, lstrcpynA, DosDateTimeToFileTime, GetLocalTime, FileTimeToLocalFileTime, SetVolumeLabelA, LocalFileTimeToFileTime, GetVersion, GetLocaleInfoA, GetFullPathNameA, lstrcpyA, CompareStringW, LCMapStringW, GetLocaleInfoW, OpenProcess, FlsAlloc, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, DecodePointer, GetModuleFileNameW, GetStringTypeW, CreateDirectoryW, GetFileSizeEx, DeleteFileW, GetCurrentProcessId, WTSGetActiveConsoleSessionId, Process32FirstW, Process32Next, Process32NextW, GlobalAddAtomA, ProcessIdToSessionId, CreateToolhelp32Snapshot, Process32First, GetComputerNameA, GetSystemInfo, GetSystemDirectoryA, MapViewOfFile, OpenFileMappingA, UnmapViewOfFile, DeleteFileA, GetTempPathA, FindClose, FindNextFileA, FindFirstFileA, GetProcessTimes, GetSystemTimeAsFileTime, DeleteCriticalSection, GetModuleHandleA, InitializeCriticalSection, LeaveCriticalSection, GetCurrentProcess, EnterCriticalSection, CloseHandle, GetVersionExA, SetEvent, GetLastError, GetCurrentThreadId, OpenEventA, GetModuleFileNameA, GetTickCount, FreeLibrary, GetProcessHeap, GetProcAddress, HeapAlloc, InitializeCriticalSectionAndSpinCount, LoadLibraryA, lstrlenA, SetLastError, HeapFree, GlobalUnlock, WideCharToMultiByte, GlobalLock, GlobalFree, GetFileAttributesExW, GlobalAlloc, GlobalSize, MultiByteToWideChar, SetFileAttributesW, MoveFileExW, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, RemoveDirectoryW, HeapSize, WriteConsoleW, FlsGetValue, FlsSetValue, FlsFree, OpenThread, QueryPerformanceFrequency, LocalFree, SetThreadAffinityMask, InitializeCriticalSectionEx, GetVolumeInformationA
USER32.dll	GetSubMenu, SetMenuDefaultItem, DestroyMenu, TrackPopupMenuEx, RemoveMenu, EnableMenuItem, EnableWindow, GetWindow, VkKeyScanA, IsWindow, GetAsyncKeyState, MapVirtualKeyA, ToAscii, SendInput, SetClipboardViewer, GetClipboardOwner, WaitMessage, PostThreadMessageA, ChangeClipboardChain, SendNotifyMessageA, PeekMessageA, IsWindowVisible, LoadMenuA, GetIconInfo, GetClassNameA, WindowFromPoint, ChangeWindowMessageFilter, EnumDesktopWindows, SetRect, DrawIconEx, DestroyIcon, GetKeyboardState, mouse_event, PtInRect, MessageBeep, FlashWindow, EnumDisplaySettingsExA, EnumDisplayDevicesA, ChangeDisplaySettingsExA, GetKeyState, keybd_event, EnumDisplaySettingsA, EnumWindows, GetWindowLongA, SetWindowLongA, RedrawWindow, SetDlgItemInt, CheckDlgButton, GetDlgItemInt, IntersectRect, GetWindowRect, LoadStringA, ScreenToClient, GetScrollInfo, IsDlgButtonChecked, FillRect, MoveWindow, SetFocus, SendDlgItemMessageA, GetCursorPos, ExitWindowsEx, LockWorkStation, DrawIcon, SetLayeredWindowAttributes, UpdateWindow, InvalidateRect, GetMessageA, LoadImageA, DispatchMessageA, LoadCursorA, DestroyWindow, SetWindowPos, DrawTextA, SetWindowDisplayAffinity, AdjustWindowRect, DefWindowProcA, IsRectEmpty, CreateWindowExA, TranslateMessage, LoadIconA, GetClientRect, PostQuitMessage, RegisterClassExA, BeginPaint, EndPaint, wsprintfA, SystemParametersInfoA, GetWindowThreadProcessId, GetUserObjectInformationA, PostMessageA, RegisterWindowMessageA, FindWindowExA, OpenDesktopA, MessageBoxA, GetProcessWindowStation, FindWindowA, GetSystemMetrics, EndDialog, DialogBoxParamA, ShowWindow, GetDlgItemTextA, SetTimer, SetDlgItemTextA, SendMessageA, GetDlgItem, GetWindowLongPtrA, KillTimer, SetWindowLongPtrA, SetForegroundWindow, SetThreadDesktop, GetThreadDesktop, CloseDesktop, GetForegroundWindow, OpenInputDesktop, GetDesktopWindow, GetDC, ReleaseDC, OpenClipboard, CloseClipboard, EmptyClipboard, GetClipboardData, SetClipboardData, IsClipboardFormatAvailable, RegisterClipboardFormatA, GetTopWindow, OemToCharA, CharToOemA, wvsprintfA, SetWindowTextA
GDI32.dll	GetBitmapBits, SetDIBColorTable, GdiFlush, RealizePalette, SelectPalette, SetBkColor, CreateFontIndirectA, GetObjectA, ExtEscape, GetSystemPaletteEntries, DeleteObject, DeleteDC, GetPixel, GetDeviceCaps, GetDIBits, CreateCompatibleDC, CreateDIBSection, SelectObject, CreateCompatibleBitmap, BitBlt, CreateFontA, CreateDCA, CreateSolidBrush, Rectangle, CreatePen, SetBkMode, SetTextColor, GetClipBox, GetStockObject, StretchBlt, PatBlt, GetRgnBox, CombineRgn, PtInRegion, GetRegionData, CreateRectRgn, OffsetRgn, CreatePalette, SetRectRgn
ADVAPI32.dll	SetSecurityInfo, RegCreateKeyA, GetSecurityDescriptorSacl, SetSecurityDescriptorDacl, ConvertStringSecurityDescriptorToSecurityDescriptorA, SetSecurityDescriptorSacl, InitializeSecurityDescriptor, CreateServiceA, GetSecurityDescriptorLength, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, IsValidSid, IsValidSecurityDescriptor, GetKernelObjectSecurity, SetKernelObjectSecurity, IsValidAcl, AdjustTokenPrivileges, StartServiceCtrlDispatcherA, QueryServiceStatus, RegDeleteKeyA, SetTokenInformation, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, DeleteService, DuplicateTokenEx, ImpersonateLoggedOnUser, EqualSid, AllocateAndInitializeSid, FreeSid, OpenProcessToken, RevertToSelf, CloseServiceHandle, OpenSCManagerA, GetUserNameA, LookupAccountSidA, OpenServiceA, GetTokenInformation, CreateProcessAsUserA, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA
SHELL32.dll	ShellExecuteA, SHGetMalloc, Shell_NotifyIconA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHFileOperationA, ShellExecuteExA
ole32.dll	CoInitialize, CoCreateInstance, CoUninitialize
SHLWAPI.dll	PathStripPathA
IMM32.dll	ImmGetDefaultIMEWnd
dwmapi.dll	DwmIsCompositionEnabled
IPHLPAPI.DLL	GetAdaptersInfo

Exports

Name	Ordinal	Address
adler32	1	0x1400d3270
adler32_combine	2	0x1400d3360
adler32_z	3	0x1400d3030
compress	4	0x1400d3490
compress2	5	0x1400d3370
compressBound	6	0x1400d34b0
crc32	7	0x1400cc320
crc32_combine	8	0x1400cc6b0
crc32_final	9	0x1400cc820
crc32_init	10	0x1400cc7b0
crc32_update	11	0x1400cc7f0
crc32_z	12	0x1400cc260
deflate	13	0x1400cfe30
deflateBound	14	0x1400cfc50
deflateCopy	15	0x1400d0ab0
deflateEnd	16	0x1400d09a0
deflateGetDictionary	17	0x1400cf4e0
deflateInit2_	18	0x1400ceec0
deflateInit_	19	0x1400cee80
deflateParams	20	0x1400cfa00
deflatePending	21	0x1400cf870
deflatePrime	22	0x1400cf8f0
deflateReset	23	0x1400cf720
deflateResetKeep	24	0x1400cf5b0
deflateSetDictionary	25	0x1400cf210
deflateSetHeader	26	0x1400cf810
deflateTune	27	0x1400cfbd0
get_crc_table	28	0x1400cc250
inflate	29	0x1400ccdc0
inflateCodesUsed	30	0x1400cedb0
inflateCopy	31	0x1400ceab0
inflateEnd	32	0x1400ce5d0
inflateGetDictionary	33	0x1400ce650
inflateGetHeader	34	0x1400ce7e0
inflateInit2_	35	0x1400ccb20
inflateInit_	36	0x1400ccc20
inflateMark	37	0x1400ced30
inflatePrime	38	0x1400ccc30
inflateReset	39	0x1400cc9c0
inflateReset2	40	0x1400cca10
inflateResetKeep	41	0x1400cc910
inflateSetDictionary	42	0x1400ce700
inflateSync	43	0x1400ce8a0
inflateSyncPoint	44	0x1400cea60
inflateUndermine	45	0x1400cec90
inflateValidate	46	0x1400cece0
uncompress	47	0x1400d3010
uncompress2	48	0x1400d2e70
zError	49	0x1400d3b90
zlibCompileFlags	50	0x1400d3b80
zlibVersion	51	0x1400d3b70

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Dutch	Belgium

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• winvnc.exe

Click to jump to process

Memory Usage

• winvnc.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: winvnc.exePID: 7004, Parent PID: 3968

Function Logs

General

Target ID:	0
Start time:	14:59:18
Start date:	05/10/2023
Path:	C:\Users\user\Desktop\winvnc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\winvnc.exe
Imagebase:	0x7ff612160000
File size:	3'011'528 bytes
MD5 hash:	7CD339F9BE1417421ACF8790C9738922
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Network Activities

Socket bound

Socket connected

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report winvnc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\UltraVNC.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: winvnc.exePID: 7004, Parent PID: 3968

General

File Activities

Windows Analysis Report
winvnc.exe