Edit tour

Windows Analysis Report
RAPS.exe

Overview

General Information

Sample name:	RAPS.exe
Analysis ID:	1425795
MD5:	186b2c70b01e5d04822b2280ada6e5c6
SHA1:	9e52dcbc72b489db0f54b071b158de1126615c4b
SHA256:	a051ccc1cfe9ff753aeaf9fde76d826750abc6b75e38a9ee89c5e0187e069d74
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Sigma detected: Suspicious Copy From or To System Directory

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

RAPS.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\RAPS.exe" MD5: 186B2C70B01E5D04822B2280ADA6E5C6)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7044 cmdline: C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c if exist kaps1.log copy /y kaps1.log kaps2.log > NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7080 cmdline: C:\Windows\system32\cmd.exe /c if exist ~kaps.log ( copy /y ~kaps.log + kaps.log kaps1.log > NUL ) ELSE ( copy /y kaps.log kaps1.log > NUL ) MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7096 cmdline: C:\Windows\system32\cmd.exe /c del /q ~kaps.log > NUL 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL, CommandLine: C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\RAPS.exe", ParentImage: C:\Users\user\Desktop\RAPS.exe, ParentProcessId: 6980, ParentProcessName: RAPS.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL, ProcessId: 7044, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: RAPS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: classification engine

Classification label: clean2.winEXE@10/3@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03

Source: RAPS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RAPS.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\RAPS.exe "C:\Users\user\Desktop\RAPS.exe"
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps1.log copy /y kaps1.log kaps2.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist ~kaps.log ( copy /y ~kaps.log + kaps.log kaps1.log > NUL ) ELSE ( copy /y kaps.log kaps1.log > NUL )
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del /q ~kaps.log > NUL 2>&1
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps1.log copy /y kaps1.log kaps2.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist ~kaps.log ( copy /y ~kaps.log + kaps.log kaps1.log > NUL ) ELSE ( copy /y kaps.log kaps1.log > NUL )
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del /q ~kaps.log > NUL 2>&1

Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: wlanapi.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\RAPS.exe	Section loaded: dhcpcsvc.dll

Source: RAPS.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RAPS.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: RAPS.exe

Static file information: File size 1767936 > 1048576

Source: RAPS.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x119a00

Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RAPS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RAPS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: RAPS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: RAPS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RAPS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RAPS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RAPS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RAPS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RAPS.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters

Source: C:\Users\user\Desktop\RAPS.exe	Window / User API: threadDelayed 372
Source: C:\Users\user\Desktop\RAPS.exe	Window / User API: threadDelayed 390

Source: C:\Users\user\Desktop\RAPS.exe TID: 6984	Thread sleep time: -820000s >= -30000s
Source: C:\Users\user\Desktop\RAPS.exe TID: 6984	Thread sleep time: -3720000s >= -30000s
Source: C:\Users\user\Desktop\RAPS.exe TID: 6984	Thread sleep time: -3900000s >= -30000s

Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps2.log copy /y kaps2.log kaps3.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist kaps1.log copy /y kaps1.log kaps2.log > NUL
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c if exist ~kaps.log ( copy /y ~kaps.log + kaps.log kaps1.log > NUL ) ELSE ( copy /y kaps.log kaps1.log > NUL )
Source: C:\Users\user\Desktop\RAPS.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del /q ~kaps.log > NUL 2>&1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	11 Process Injection	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RAPS.exe	0%	ReversingLabs
RAPS.exe	1%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1425795
Start date and time:	2024-04-14 18:17:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	RAPS.exe
Detection:	CLEAN
Classification:	clean2.winEXE@10/3@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\RAPS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101531
Entropy (8bit):	5.121904756698806
Encrypted:	false
SSDEEP:
MD5:	A1198976BB8AB5D7946F270F2D154E7C
SHA1:	7216D178E155DB9E6728FCF52E08E65365ED73BD
SHA-256:	27BB603C488AA74ED06D26A89B29F3ABAE1FF44771B5C39595EFE577F25CC58A
SHA-512:	19712BBE0963F6409BCBCADB478500B57F6370C3C4ED00A7B7695E4BF1900D3EC8244E949B7607B81C67A980B58D53C20C8F51D334453E549DEC3BE758E55036
Malicious:	false
Reputation:	unknown
Preview:	[14/04/2024T18:18:23.761] C:\Users\user\Desktop\RAPS.exe - Main:[start] RUNNING AS APPLICATION [3.1122.1000.0, Jul 28 2022 @ 02:37:20] DYNAMIC_SCAN_THRESHOLD..0000000<Sun Apr 14 20:08:56 2024-0000142>~<INFO>:RAPS.exe v3.1122.1000.0, BUILD Date Jul 28 2022 02:37:20....[14/04/2024T18:18:23.905]CNotificationManagerSingleton::WorkThreadProc: waiting on m_pWorkerEvent.....CGlobalConfigContainer::InitPostSettings: RandomCsv: 1.1.1..[14/04/2024T18:18:23.985]CWlanClient::CWlanClient(): WlanOpenHandle() failed - 1062..[14/04/2024T18:18:24.1]CWifiClientContainer::CWifiClientContainer: Exception WlanOpenHandle() failed: 1062..[14/04/2024T18:18:24.1]CWifiClientContainer::CWifiClientContainer: Failed to create Wlan Client!..[14/04/2024T18:18:24.1]CWlanClient::CWlanClient(): WlanOpenHandle() failed - 1062..[14/04/2024T18:18:24.17]CWifiClientContainer::Initialize: Exception WlanOpenHandle() failed: 1062..[14/04/2024T18:18:24.17]Main[TOP loop]: No Supported Wifi Adapters.....[14/04/2024T18:18:24.17] M

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.553508854797679
Encrypted:	false
SSDEEP:
MD5:	0818F0855D4103D823F8044EAF7DB9DB
SHA1:	376412F9429FE0B5496400FB7BA59396CE3E0BA9
SHA-256:	240B54B13A51B0B053279FAE4D5F2428A3DACAE695504E372AD103E2E16CA8DA
SHA-512:	C2C4E99C395788B648F1511D418FC756C712BE28E3528A03C966114527EE826DA0D9390C8D99ED7CD6F94A666D4AAFB5B65C171C6F6D3B5DCD60B1224913CD77
Malicious:	false
Reputation:	unknown
Preview:	Could Not Find C:\Users\user\Desktop\~kaps.log..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.170485676003678
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RAPS.exe
File size:	1'767'936 bytes
MD5:	186b2c70b01e5d04822b2280ada6e5c6
SHA1:	9e52dcbc72b489db0f54b071b158de1126615c4b
SHA256:	a051ccc1cfe9ff753aeaf9fde76d826750abc6b75e38a9ee89c5e0187e069d74
SHA512:	a508bca9a2476a6e3f1df2d265637e397e736ffa7ff48b436a831697bc7bb6be8e7bccea564aa894e730e986492345383d621ed07d0316170daefef89cf493e6
SSDEEP:	49152:DQ2/RP4eAZsBnNQ7bb0uUkAZkw4QEadlV:9RxUnvU9N
TLSH:	9485490577E800A4D07BC678C9A6851BE6727C450F35DADF12D1865E2F37BE18E3AB22
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.:.i.T.i.T.i.T...W.b.T...Q...T.;.W.`.T.;.P.J.T.;.Q...T...P...T...U.t.T.i.U.,.T...].Q.T.....h.T.i...h.T...V.h.T.Richi.T........

File Icon


Icon Hash:	3637393d3b0f4e0e

Static PE Info

General

Entrypoint:	0x1400bd0e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E1F6B0 [Thu Jul 28 02:38:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	935b686812e8d4246e2278af50aa30fb

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA7AC6F234Ch
dec eax
add esp, 28h
jmp 00007FA7AC6F1C47h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FA7AC6F1DE2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FA7AC6F1DE5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FA7AC6F1DDDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FA7AC6F1072h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FA7AC6F1D41h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x188950	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19f000	0x14f78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x194000	0xa8cc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b4000	0x19e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x161920	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x161a90	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x161990	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11b000	0x920	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1198c0	0x119a00	fdbd9338121e4172e72f5431d685ae90	False	0.46908722397913893	data	6.40985298762481	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11b000	0x6f9a6	0x6fa00	d9bae3ef86ecfd3f8e1d1751f88b6fbf	False	0.31031941139417696	data	4.858806239641028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18b000	0x80a4	0x4e00	0673e32ee31545bec0307b9543f7e60d	False	0.1743289262820513	DOS executable (block device driver ght (c)	4.25847747080798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x194000	0xa8cc	0xaa00	09e3243a2da25992043be240840c242c	False	0.5033318014705882	data	6.06687976934415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19f000	0x14f78	0x15000	d5fadce98df9623ef87ec7fb076a73ee	False	0.2797967819940476	data	3.7774732152853137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1b4000	0x19e4	0x1a00	4fdcefa5c95577bf086bc4650e8c5d88	False	0.3460036057692308	data	5.4370680826027655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19f250	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.38423236514522824
RT_ICON	0x1a17f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43621013133208253
RT_ICON	0x1a28a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6037234042553191
RT_ICON	0x1a2d08	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.2470424701289483
RT_STRING	0x1b3840	0x484	data	English	United States	0.34342560553633217
RT_STRING	0x1b3cc8	0x12c	data	English	United States	0.5133333333333333
RT_GROUP_ICON	0x1b3530	0x3e	data	English	United States	0.7903225806451613
RT_VERSION	0x1b3570	0x2cc	data	English	United States	0.4692737430167598
RT_MANIFEST	0x1b3df8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess, GetVersionExW, GetCurrentThread, ReleaseSemaphore, WaitForMultipleObjects, CreateSemaphoreW, TerminateProcess, CreatePipe, GetFileAttributesW, GetTempPathA, GetTimeZoneInformation, FileTimeToSystemTime, FileTimeToLocalFileTime, CreateProcessW, GetSystemTimeAsFileTime, GetExitCodeProcess, CreateEventW, InitializeCriticalSectionAndSpinCount, SetEndOfFile, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, LocalFree, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, PeekConsoleInputA, GetNumberOfConsoleInputEvents, ReadConsoleW, SetFilePointerEx, GetFileSizeEx, GetFileAttributesExW, GetConsoleMode, FlushFileBuffers, GetFileType, EnumSystemLocalesW, LocalAlloc, GetSystemPowerStatus, WTSGetActiveConsoleSessionId, GetLocalTime, ConnectNamedPipe, GetOverlappedResult, ResetEvent, ReadFileEx, GlobalFree, GlobalAlloc, SetEvent, DisconnectNamedPipe, WaitForMultipleObjectsEx, WriteFileEx, CreateNamedPipeW, lstrlenW, CreateFileW, PeekNamedPipe, WriteFile, ReadFile, HeapReAlloc, HeapSize, TerminateThread, WaitForSingleObject, CloseHandle, QueryPerformanceCounter, GetCurrentProcessId, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetConsoleCP, GetModuleHandleExW, ResumeThread, QueryPerformanceFrequency, GetModuleHandleW, Sleep, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetTickCount64, GetProcessHeap, DeleteCriticalSection, DecodePointer, HeapAlloc, RaiseException, GetLastError, InitializeCriticalSectionEx, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetEnvironmentStringsW, HeapFree, ExitThread, RtlPcToFileHeader, RtlUnwindEx, LoadLibraryW, RtlUnwind, CreateTimerQueue, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, DuplicateHandle, VirtualFree, VirtualProtect, VirtualAlloc, LoadLibraryExW, GetModuleHandleA, GetModuleFileNameW, FreeLibraryAndExitThread, FreeLibrary, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, CreateThread, SignalObjectAndWait, InitializeSListHead, GetStartupInfoW, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, GetCPInfo, GetLocaleInfoW, LCMapStringW, CompareStringW, EncodePointer, GetProcAddress, GetTickCount, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SwitchToThread, SetLastError, GetCurrentThreadId, TryEnterCriticalSection, GetStringTypeW, OutputDebugStringW, IsDebuggerPresent
USER32.dll	PostMessageA, EnumWindows, GetWindowTextW, GetMessageW, DefWindowProcW, CreateWindowExW, FindWindowW, LoadStringW, UpdateWindow, PostQuitMessage, SendMessageW, UnregisterSuspendResumeNotification, RegisterClassExW, ShowWindow, DispatchMessageW, RegisterSuspendResumeNotification, LoadCursorW, LoadIconW, TranslateMessage
GDI32.dll	CreateSolidBrush
ADVAPI32.dll	OpenSCManagerW, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, EventUnregister, EventSetInformation, EventRegister, EventWriteTransfer, CreateProcessAsUserW, RegSetValueExW, RegCreateKeyExW, RegDeleteKeyValueW, GetTokenInformation, OpenThreadToken, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, CloseServiceHandle, OpenServiceW
ole32.dll	CLSIDFromString, CoCreateInstance, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoCreateGuid, StringFromCLSID
OLEAUT32.dll	SysFreeString
IPHLPAPI.DLL	FreeMibTable, GetAdaptersAddresses, GetAdaptersInfo, GetTcpTable, GetTcp6Table, GetIpForwardTable, CreateIpForwardEntry, GetIpInterfaceEntry, DeleteIpForwardEntry, InitializeIpInterfaceEntry, GetIfTable, IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile, Icmp6SendEcho2, GetIpNetTable2, Icmp6CreateFile
WS2_32.dll	InetNtopW, getaddrinfo, WSACleanup, WSAStartup, inet_addr
pdh.dll	PdhAddCounterW, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhRemoveCounter, PdhOpenQueryW, PdhCloseQuery
wlanapi.dll	WlanQueryInterface, WlanGetNetworkBssList, WlanDeleteProfile, WlanGetFilterList, WlanGetInterfaceCapability, WlanScan, WlanReasonCodeToString, WlanConnect, WlanGetProfile, WlanGetAvailableNetworkList, WlanSetProfile, WlanFreeMemory, WlanRegisterNotification, WlanCloseHandle, WlanEnumInterfaces, WlanOpenHandle, WlanDisconnect
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
WTSAPI32.dll	WTSQueryUserToken, WTSFreeMemory, WTSRegisterSessionNotification, WTSEnumerateSessionsA
WINHTTP.dll	WinHttpCrackUrl, WinHttpConnect, WinHttpSetTimeouts, WinHttpSendRequest, WinHttpWriteData, WinHttpGetIEProxyConfigForCurrentUser, WinHttpReceiveResponse, WinHttpOpen, WinHttpAddRequestHeaders, WinHttpDetectAutoProxyConfigUrl, WinHttpQueryHeaders, WinHttpReadData, WinHttpOpenRequest, WinHttpSetOption, WinHttpCloseHandle, WinHttpQueryDataAvailable, WinHttpGetProxyForUrl
ntdll.dll	RtlIpv6AddressToStringW, RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RAPS.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
RAPS.exe