Edit tour

Windows Analysis Report
SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Overview

General Information

Sample name:	SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Analysis ID:	1447452
MD5:	ae09f3510f52dfc175d014de7d3aa667
SHA1:	7c9f7581d246cb08a5f7f0fdd5af8974f9f9faf8
SHA256:	4f948480805fd39934d7f27be3bb892961595687094da5dd863722d508e04314
Tags:	exe
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe (PID: 1228 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe" MD5: AE09F3510F52DFC175D014DE7D3AA667)

conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Source:	Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb%% source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

String found in binary or memory: https://dash.insolence.online/

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Code function: 0_2_00007FF715BD53F0		0_2_00007FF715BD53F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Code function: 0_2_00007FF715BD136B		0_2_00007FF715BD136B

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe "C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Section loaded: msvcp140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Section loaded: vcruntime140_1d.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Section loaded: ucrtbased.dll	Jump to behavior

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Source:	Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb%% source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: section name: .textbss
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: section name: .msvcjmc
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Static PE information: section name: .00cfg

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Code function: 0_2_00007FF715BD1370 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF715BD1370

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Code function: 0_2_00007FF715BD58A0 VirtualQuery,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00007FF715BD58A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Code function: 0_2_00007FF715BD3870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF715BD3870
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Code function: 0_2_00007FF715BD1285 SetUnhandledExceptionFilter,	0_2_00007FF715BD1285
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	Code function: 0_2_00007FF715BD1370 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF715BD1370

Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Code function: 0_2_00007FF715BD45E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF715BD45E0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	8%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://dash.insolence.online/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://dash.insolence.online/	SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447452
Start date and time:	2024-05-25 01:28:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe, PID 1228 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	3.699570420152903
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
File size:	68'096 bytes
MD5:	ae09f3510f52dfc175d014de7d3aa667
SHA1:	7c9f7581d246cb08a5f7f0fdd5af8974f9f9faf8
SHA256:	4f948480805fd39934d7f27be3bb892961595687094da5dd863722d508e04314
SHA512:	cc1aabe5dd82f49ec4b20abe54bc3f911f1b70f6f4c95958241a6b1bc3f3bb051d57a979dccba618a44d072105c64fd2328c6b28207a3814ae749ed399c42b0f
SSDEEP:	768:ZLT9k1C4lytSliZrRlKn+BA0iMrAS9om:t9kU4eSqrTK+BzrSm
TLSH:	0B63F84BB3AA20F3D476C13E99860325FAB0712413311BDB519289B99F312EC7E3D796
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................:...............!.......!.......!.......Rich....................PE..d...6.\|d...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400112d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x647C8136 [Sun Jun 4 12:19:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d564d984efe80920080627a1a467a618

Entrypoint Preview

Instruction
jmp 00007F54FCCD9CB0h
jmp 00007F54FCCDBC3Bh
jmp 00007F54FCCDD486h
jmp 00007F54FCCDB741h
jmp 00007F54FCCDC14Ch
jmp 00007F54FCCDD437h
jmp 00007F54FCCDD3A8h
jmp 00007F54FCCDB93Dh
jmp 00007F54FCCDB848h
jmp 00007F54FCCDAA23h
jmp 00007F54FCCDC26Eh
jmp 00007F54FCCDC8E9h
jmp 00007F54FCCDB1D4h
jmp 00007F54FCCDD319h
jmp 00007F54FCCDD386h
jmp 00007F54FCCDB0A5h
jmp 00007F54FCCDD2E0h
jmp 00007F54FCCDB91Bh
jmp 00007F54FCCDD3F6h
jmp 00007F54FCCDD2F5h
jmp 00007F54FCCD914Ch
jmp 00007F54FCCDB867h
jmp 00007F54FCCDB912h
jmp 00007F54FCCDD35Fh
jmp 00007F54FCCDC018h
jmp 00007F54FCCDBF03h
jmp 00007F54FCCDAFFEh
jmp 00007F54FCCDD2AFh
jmp 00007F54FCCDB404h
jmp 00007F54FCCDD221h
jmp 00007F54FCCD93CAh
jmp 00007F54FCCDCD45h
jmp 00007F54FCCDB900h
jmp 00007F54FCCD91CBh
jmp 00007F54FCCDD310h
jmp 00007F54FCCDD263h
jmp 00007F54FCCDAF3Ch
jmp 00007F54FCCDAF47h
jmp 00007F54FCCD9313h
jmp 00007F54FCCD9BCDh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x214e8	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x43c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1e000	0x1dc4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x68	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b8a0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1b720	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x4e8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.textbss	0x1000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x11000	0x8a03	0x8c00	d9030aad6f9223d7c8a0477e14895666	False	0.24458705357142857	data	3.689618088340925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x2f95	0x3000	87acf528129d7c3300aba5cf81d050d1	False	0.18074544270833334	data	2.356743242831185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d000	0x8f0	0x200	6a4c7a8567d6b15659b224a9b7d8edfe	False	0.09765625	data	0.5080478223007707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1e000	0x21e4	0x2200	58fafc5f0d5edaa028a622c2f21dcf8b	False	0.09650735294117647	data	1.2325506101942232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x21000	0x1567	0x1600	cdd798cc8b07d0b707cc8a16f83e1769	False	0.2579900568181818	data	3.8257893954481763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0x23000	0x224	0x400	448550209f86635fc358bda595da0898	False	0.0185546875	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.7921703563573823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x24000	0x175	0x200	b71b60996f56ca573f6b4ba7e0ca73a9	False	0.06640625	data	0.46454760634715014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x43c	0x600	70143e4401b8ff04168516e4dd17d259	False	0.18098958333333334	data	2.1429708819311997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x27a	0x400	a501a843dc51c9b07b56f58da7a68b04	False	0.1181640625	data	0.7600180663735265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x25170	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	SetConsoleTitleA, IsDebuggerPresent, RaiseException, MultiByteToWideChar, WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, GetProcAddress, GetStartupInfoW, GetModuleHandleW, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, VirtualQuery, FreeLibrary, GetCurrentThreadId
MSVCP140D.dll	?uncaught_exception@std@@YA_NXZ, ?good@ios_base@std@@QEBA_NXZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
VCRUNTIME140_1D.dll	__CxxFrameHandler4
VCRUNTIME140D.dll	__C_specific_handler, __C_specific_handler_noexcept, __std_type_info_destroy_list, memcpy, __current_exception, __current_exception_context, __vcrt_GetModuleFileNameW, __vcrt_GetModuleHandleW, __vcrt_LoadLibraryExW
ucrtbased.dll	_initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, terminate, _wmakepath_s, _wsplitpath_s, wcscpy_s, _seh_filter_dll, strcpy_s, __p__commode, _set_new_mode, _configthreadlocale, _register_thread_local_exe_atexit_callback, __stdio_common_vsprintf_s, __p___argv, __p___argc, _set_fmode, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __setusermatherr, _set_app_type, _seh_filter_exe, _CrtDbgReportW, _CrtDbgReport, strlen, system, _cexit, strcat_s, _c_exit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	19:28:51
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe"
Imagebase:	0x7ff715bc0000
File size:	68'096 bytes
MD5 hash:	AE09F3510F52DFC175D014DE7D3AA667
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	19:28:51
Start date:	24/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF715BD58A0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 253memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF715BD58DA
GetProcAddress.KERNEL32 ref: 00007FF715BD59BF
GetProcessHeap.KERNEL32 ref: 00007FF715BD5B37
HeapAlloc.KERNEL32 ref: 00007FF715BD5B4A
GetProcessHeap.KERNEL32 ref: 00007FF715BD5BF3
HeapFree.KERNEL32 ref: 00007FF715BD5C01

Strings

9N, xrefs: 00007FF715BD58F5
PDBOpenValidate5, xrefs: 00007FF715BD59B5

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$AddressAllocFreeProcQueryVirtual
String ID: PDBOpenValidate5$9N
API String ID: 1898765391-657718174
Opcode ID: 5c6dc10c2b093a57b043e20b742cc91024c22abed6e83efa1290ba7ba7a7c5f4
Instruction ID: 91d4972d25fb0fdffa618b38d25af34d04c6e83c5ab82a1f92d6b0be3715735a
Opcode Fuzzy Hash: 5c6dc10c2b093a57b043e20b742cc91024c22abed6e83efa1290ba7ba7a7c5f4
Instruction Fuzzy Hash: 58B13A22B09E4A86EB35AF65E48066CB3A1FB88F98B944135DA4D537B5DF3CD409C710

Function 00007FF715BD1370 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF715BD4931
RtlCaptureContext.KERNEL32 ref: 00007FF715BD496C
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF715BD498C
RtlVirtualUnwind.KERNEL32 ref: 00007FF715BD49DA
IsDebuggerPresent.KERNEL32 ref: 00007FF715BD4A3E
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF715BD4A7A
UnhandledExceptionFilter.KERNEL32 ref: 00007FF715BD4A85

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e0086d5a74eb13fd3fac3b6d21aaf2219799975006b6d5f48ac9950bb802882e
Instruction ID: f9710d466357f9d899067bc26a9b0043db8db16ad117b28f465ff7bf62c7dd8a
Opcode Fuzzy Hash: e0086d5a74eb13fd3fac3b6d21aaf2219799975006b6d5f48ac9950bb802882e
Instruction Fuzzy Hash: 32410432608BC186E7359B14F4403AAB7A4FB88BA4F900136D68D42BA9EF7CC548CB10

Function 00007FF715BD1285 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF715BD4C9B

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85bc3b1dab7882dc17796688e510be7034801ad8ba9e1b7f0132434d0a3a9cdb
Instruction ID: 769beaef79ea6ed6b50d5f96ddcbe499298b828545dcf0e03e4e05702557a72d
Opcode Fuzzy Hash: 85bc3b1dab7882dc17796688e510be7034801ad8ba9e1b7f0132434d0a3a9cdb
Instruction Fuzzy Hash: 74B09214E19C42D1E63CBB26AC860B49220AF54B2DFE40431C10E101B18F1CA2EE8720

Function 00007FF715BD136B Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2cb57a64bb284946a8e3057aed50d67c236fb0676cc670812fd5e9bcbcf821
Instruction ID: 9056aab6eb1a6bddc190545cb56e88c12a948a425998f9adbfdf8e6fc9a25413
Opcode Fuzzy Hash: 9b2cb57a64bb284946a8e3057aed50d67c236fb0676cc670812fd5e9bcbcf821
Instruction Fuzzy Hash: B2A120B2609A418BE778DB2CE492726F6E0E784758F944135E699CB7E4DB3CE8048F14

Function 00007FF715BD1087 Relevance: 21.2, APIs: 14, Instructions: 229COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD1903
?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD192C
?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD1956
?flags@ios_base@std@@QEBAHXZ.MSVCP140D ref: 00007FF715BD19CC
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140D ref: 00007FF715BD1A22
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF715BD1A4C
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140D ref: 00007FF715BD1A67
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF715BD1AD8
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140D ref: 00007FF715BD1AF7
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140D ref: 00007FF715BD1B5A
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF715BD1B84
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140D ref: 00007FF715BD1B9F
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140D ref: 00007FF715BD1C0C
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140D ref: 00007FF715BD1C39

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID:
API String ID: 4125389999-0
Opcode ID: a639c217398595d06b5b0813c811225cf0e30f2a5eefc72840e2d8c5f673727d
Instruction ID: 620bf39f23ab89d7c8255df1c6f7875d756a8bac0bc8873a398fe84395ad4d71
Opcode Fuzzy Hash: a639c217398595d06b5b0813c811225cf0e30f2a5eefc72840e2d8c5f673727d
Instruction Fuzzy Hash: EFC1D636A05FC699DB34DF65E9942EC77A0FB88B98F504036DA0E4BB69DF38D6448310

Function 00007FF715BD5230 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetPdbDllFromInstallPath.LIBCMTD ref: 00007FF715BD525D

Part of subcall function 00007FF715BD53F0: GetLastError.KERNEL32 ref: 00007FF715BD545D
Part of subcall function 00007FF715BD53F0: GetProcAddress.KERNEL32 ref: 00007FF715BD548F
Part of subcall function 00007FF715BD53F0: GetProcAddress.KERNEL32 ref: 00007FF715BD54A7
Part of subcall function 00007FF715BD53F0: GetProcAddress.KERNEL32 ref: 00007FF715BD54BF
Part of subcall function 00007FF715BD53F0: FreeLibrary.KERNEL32 ref: 00007FF715BD54FE

GetPdbDllPathFromFilePath.LIBCMTD ref: 00007FF715BD52A9
GetLastError.KERNEL32 ref: 00007FF715BD52CD
GetLastError.KERNEL32 ref: 00007FF715BD530A
GetPdbDllPathFromFilePath.LIBCMTD ref: 00007FF715BD5341

Strings

9N, xrefs: 00007FF715BD528D, 00007FF715BD5325
VCRUNTIME140D.dll, xrefs: 00007FF715BD526B
MSPDB140, xrefs: 00007FF715BD52F3

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: Path$AddressErrorFromLastProc$File$FreeInstallLibrary
String ID: MSPDB140$VCRUNTIME140D.dll$9N
API String ID: 1028968980-70536244
Opcode ID: 3637fe9d05765ed0085608815b6dfd39f4cd830def96fd497a19d43cd7f416b7
Instruction ID: faa9ed8ab5a973873a94ddb7952db417b95b922d117b4594956e72e72b9e92d9
Opcode Fuzzy Hash: 3637fe9d05765ed0085608815b6dfd39f4cd830def96fd497a19d43cd7f416b7
Instruction Fuzzy Hash: E2317061F09E8241FA78B711E4513B992A0AF95B68FC40035DA4E465F6EF6CE60DCB20

Function 00007FF715BD22D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 18processCOMMON

Download Yara Rule

APIs

SetConsoleTitleA.KERNEL32 ref: 00007FF715BD22F2

Part of subcall function 00007FF715BD1087: ?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD1903
Part of subcall function 00007FF715BD1087: ?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD192C
Part of subcall function 00007FF715BD1087: ?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF715BD1956
Part of subcall function 00007FF715BD1087: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140D ref: 00007FF715BD1C39

system.UCRTBASED ref: 00007FF715BD2312

Strings

pause, xrefs: 00007FF715BD230B
INSTALL NEW INSOLENCE V5, xrefs: 00007FF715BD22EB
Hi! Insolence got a big update please install the new version.https://dash.insolence.online/, xrefs: 00007FF715BD22F8

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: ?width@ios_base@std@@$?setstate@?$basic_ios@ConsoleD@std@@@std@@TitleU?$char_traits@system
String ID: Hi! Insolence got a big update please install the new version.https://dash.insolence.online/$INSTALL NEW INSOLENCE V5$pause
API String ID: 4267507070-76746686
Opcode ID: 4b538a0491c41589676622450522fb1c0c961590fc4933488eed3920e8536353
Instruction ID: 7449141f11a207543c02edb33bd35dc0de353b48403c7d9eaca7dd4e5ef17f3f
Opcode Fuzzy Hash: 4b538a0491c41589676622450522fb1c0c961590fc4933488eed3920e8536353
Instruction Fuzzy Hash: 37E0A521A08C4695EB39BB20ED513F8A324EB44B79FD84431D50E52175DF6CE24DC720

Function 00007FF715BD1E50 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF715BD1398: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF715BD1DF4

?good@ios_base@std@@QEBA_NXZ.MSVCP140D ref: 00007FF715BD1EA6
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF715BD1EE1

Memory Dump Source

Source File: 00000000.00000002.2872180133.00007FF715BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF715BC0000, based on PE: true

Associated: 00000000.00000002.2872155784.00007FF715BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872180133.00007FF715BD8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872224247.00007FF715BDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872247277.00007FF715BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872266102.00007FF715BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872288721.00007FF715BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2872310189.00007FF715BE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff715bc0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
String ID:
API String ID: 3792166412-0
Opcode ID: 822dad3f407e0b78afc75b990add5d4135428d567151ef334b8f3d08d0a26802
Instruction ID: 374633e870a97cdda79f3919efb22e39a9e50468b2f8358b7e9198c3c067c1bb
Opcode Fuzzy Hash: 822dad3f407e0b78afc75b990add5d4135428d567151ef334b8f3d08d0a26802
Instruction Fuzzy Hash: 4031D636609FC988DB74DF26D8803E867A0EB98F98F548036DA8D47765DF78D188C310

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exePID: 1228, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 2852, Parent PID: 1228

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exePID: 1228, Parent PID: 2580COMMON

Non-executed Functions

Function 00007FF715BD58A0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 253memorylibraryloaderCOMMON

Function 00007FF715BD1370 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Function 00007FF715BD1285 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Windows Analysis Report
SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe