Edit tour

Windows Analysis Report
LG3adrtYi2.exe

Overview

General Information

Sample name:	LG3adrtYi2.exe renamed because original name is a hash value
Original sample name:	de36bc2bfc3c67820ebd75c912fadc3d.exe
Analysis ID:	1448262
MD5:	de36bc2bfc3c67820ebd75c912fadc3d
SHA1:	38bd51e1052ae5bede5293827e87d6f494b204c8
SHA256:	2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16
Tags:	32exetrojan
Infos:

Detection

Phorpiex

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for dropped file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LG3adrtYi2.exe (PID: 2708 cmdline: "C:\Users\user\Desktop\LG3adrtYi2.exe" MD5: DE36BC2BFC3C67820EBD75C912FADC3D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LG3adrtYi2.exe	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.LG3adrtYi2.exe.f00000.0.unpack	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security
0.2.LG3adrtYi2.exe.f00000.0.unpack	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LG3adrtYi2.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	ReversingLabs: Detection: 79%
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Virustotal: Detection: 71%			Perma Link

Multi AV Scanner detection for submitted file

Source: LG3adrtYi2.exe	ReversingLabs: Detection: 68%
Source: LG3adrtYi2.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.7% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Joe Sandbox ML: detected

Phishing

Yara detected Phorpiex

Source: Yara match	File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE

Source: LG3adrtYi2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: LG3adrtYi2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F028F0 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathCombineW,Sleep,Sleep,FindNextFileW,FindCloseChangeNotification,

0_2_00F028F0

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: VC_redist.x64.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_0978e8bc-c

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe 334EB73AFEC7E581BC3D755494F1BF1C4164D4DB7671F2581EA0A1E48E94CCBA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe F6B6E8A5ECEABC8B6D2F96B1999E16034E32AB6A2FDE2254110A61A27817F956

Source: LG3adrtYi2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/4@0/0

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Mutant created: \Sessions\1\BaseNamedObjects\ 959979

Source: LG3adrtYi2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: LG3adrtYi2.exe	ReversingLabs: Detection: 68%
Source: LG3adrtYi2.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: Compile Script to .exe (x64).lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: Compile Script to .exe (x86).lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: LG3adrtYi2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr

Source: LG3adrtYi2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LG3adrtYi2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LG3adrtYi2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LG3adrtYi2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LG3adrtYi2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: initial sample

Static PE information: section where entry point is pointing to: .zero

Source: VC_redist.x64.exe.0.dr	Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.0.dr	Static PE information: section name: .zero
Source: integrator.exe.0.dr	Static PE information: section name: .zero

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F03221 push ecx; ret

0_2_00F03234

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-544
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-544

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Thread delayed: delay time: 3600000			Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Thread delayed: delay time: 3600000			Jump to behavior

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Window / User API: threadDelayed 1175			Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Window / User API: threadDelayed 7389			Jump to behavior

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816	Thread sleep count: 1175 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816	Thread sleep time: -4230000000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816	Thread sleep count: 7389 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816	Thread sleep time: -26600400000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F028F0 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathCombineW,Sleep,Sleep,FindNextFileW,FindCloseChangeNotification,

0_2_00F028F0

Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Thread delayed: delay time: 3600000			Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe	Thread delayed: delay time: 3600000			Jump to behavior

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

API call chain: ExitProcess graph end node

graph_0-546

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F03358 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00F03358

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F01D30 mov eax, dword ptr fs:[00000030h]

0_2_00F01D30

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F03358 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00F03358

Source: C:\Users\user\Desktop\LG3adrtYi2.exe

Code function: 0_2_00F03288 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00F03288

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	122 Virtualization/Sandbox Evasion	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	122 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LG3adrtYi2.exe	68%	ReversingLabs	Win32.Ransomware.GandCrab
LG3adrtYi2.exe	73%	Virustotal		Browse
LG3adrtYi2.exe	100%	Avira	TR/AD.Phorpiex.zicsf

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	100%	Avira	W32/Infector.Gen
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	100%	Avira	W32/Infector.Gen
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	100%	Joe Sandbox ML
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	79%	ReversingLabs	Win32.Ransomware.GandCrab
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	71%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	0%	URL Reputation	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	VC_redist.x64.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448262
Start date and time:	2024-05-28 07:12:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LG3adrtYi2.exe renamed because original name is a hash value
Original Sample Name:	de36bc2bfc3c67820ebd75c912fadc3d.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:12:54	API Interceptor	11517806x Sleep call for process: LG3adrtYi2.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	j3K4xUSpAP.exe	Get hash	malicious	Phorpiex	Browse
	7Za8LyDkT3.exe	Get hash	malicious	Phorpiex	Browse
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	j3K4xUSpAP.exe	Get hash	malicious	Phorpiex	Browse
	7Za8LyDkT3.exe	Get hash	malicious	Phorpiex	Browse

Created / dropped Files

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Download File

Process:	C:\Users\user\Desktop\LG3adrtYi2.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4436200
Entropy (8bit):	6.56749584340829
Encrypted:	false
SSDEEP:	98304:XlkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pL:1kkCqaE68eV+0y8E6L
MD5:	3628A0C7F2AE1396600281E7EF409232
SHA1:	FF26E243C3CEAB3BA70D02663A9DF109F118504F
SHA-256:	334EB73AFEC7E581BC3D755494F1BF1C4164D4DB7671F2581EA0A1E48E94CCBA
SHA-512:	23D3CE5D3B49ECCBEB2E41C97E011128A034640CE5BAF7F9FABF898CB1C05FD88FA2DA1BA439FE213E99AFCE9F8530BB69A5C7EF0843985A514C8B64F9E1B060
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Joe Sandbox View:	Filename: j3K4xUSpAP.exe, Detection: malicious, Browse Filename: 7Za8LyDkT3.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L.................".... ....Z........C......`+...@...........................C..............................................=......p?..............RC..N....?.....<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@..B.zero.........C......RC................`........................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk

Download File

Process:	C:\Users\user\Desktop\LG3adrtYi2.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 19 17:41:52 2022, mtime=Tue Oct 3 09:52:00 2023, atime=Mon Sep 19 17:41:52 2022, length=1800288, window=hide
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	4.632027866898637
Encrypted:	false
SSDEEP:	24:8mILQv/ErdOE47gLOCOUANHdx4dLoUUFcqEqCqySm:8mUQvcrdOmLLiNHdedL905h/yS
MD5:	350FA50DC58FD12A16E26A371ACC95CD
SHA1:	706EB6FDA3D19BD277C9E4ACFF30C6E73D27CE0C
SHA-256:	BFC14A8741014EA128F0C07D657FE022FE05466BDDB322D20DDB54E3E6D92B5E
SHA-512:	D8BC37B90B3D6931A72C8341D9E0FC1932B81717378D8241AA240258430C81A70D90300223FA71B51BB40429E1436CBB8A383A2428AB508FBEA7AE556D56BC89
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......{W...A.8........{W...`x...........................P.O. .:i.....+00.../C:\.....................1.....CW.V..PROGRA~2.........O.ICW.V....................V......_S.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....CW.V..AutoIt3.@......CW.VCW.V..........................'...A.u.t.o.I.t.3.....V.1.....CW.V..Aut2Exe.@......CW.VCW.V..............................A.u.t.2.E.x.e.....l.2.`x..3U:. .AUT2EX~1.EXE..P......3U:.CW.V..............................A.u.t.2.e.x.e._.x.6.4...e.x.e.......e...............-.......d............F.......C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe..E.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.t.3.\.A.u.t.2.E.x.e.\.A.u.t.2.e.x.e._.x.6.4...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.t.3.\.A.u.t.2.E.x.e.........*................@Z\|...K.J.........`.......X.......desktop-aget0tr..hT..CrF.f4... .G...a......).;.hT..CrF.f4... .

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk

Download File

Process:	C:\Users\user\Desktop\LG3adrtYi2.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 19 17:41:50 2022, mtime=Tue Oct 3 09:52:00 2023, atime=Mon Sep 19 17:41:50 2022, length=1634400, window=hide
Category:	dropped
Size (bytes):	1208
Entropy (8bit):	4.62426465035476
Encrypted:	false
SSDEEP:	24:8m/HvtQv/ErdOE47gLO4jQA52dq4dLoUUFcQ+qySm:8mtQvcrdOmLXj52djdL903yS
MD5:	6E3815AD2A00A3C631CBE8A61788A64D
SHA1:	8ED178302DDFEC730D9195A9C053A6288FA73B5E
SHA-256:	091004254BC3CED0CC62046CDF4D252E7C626A4B444D966CC8F312BCD4AAC127
SHA-512:	0BB6B9E89BC691A5E2B58E591C5F052B6FBF94B3C960ABAB5C40EBAFB23FF7D918222DCA30B42AE507AE057D27253AAAA1F21DA079EED7FCBE28FD89DAEB1F54
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....zW...A.8.......zW...`............................P.O. .:i.....+00.../C:\.....................1.....CW.V..PROGRA~2.........O.ICW.V....................V......_S.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....CW.V..AutoIt3.@......CW.VCW.V..........................'...A.u.t.o.I.t.3.....V.1.....CW.V..Aut2Exe.@......CW.VCW.V..............................A.u.t.2.E.x.e.....b.2.`...3U9. .Aut2exe.exe.H......3U9.CW.V..............................A.u.t.2.e.x.e...e.x.e.......a...............-.......`............F.......C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe..A.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.t.3.\.A.u.t.2.E.x.e.\.A.u.t.2.e.x.e...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.t.3.\.A.u.t.2.E.x.e.........*................@Z\|...K.J.........`.......X.......desktop-aget0tr..hT..CrF.f4... .G...a......).;.hT..CrF.f4... .G...a......).;.......

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Download File

Process:	C:\Users\user\Desktop\LG3adrtYi2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	654688
Entropy (8bit):	7.191280968775951
Encrypted:	false
SSDEEP:	12288:enMwHskY7gjcjhVIEhqgM7bWvcsi6aVUfIy5U40vy3W/ceKSHMsiFyY6XN:4MysZgjS1hqgSC/izkfKjymk4HM5yJ
MD5:	E58562571DD10FEE8B3236E647F7654F
SHA1:	BBA519F10EBBBAED3DEE6DA9C9327191C5FEB6C7
SHA-256:	F6B6E8A5ECEABC8B6D2F96B1999E16034E32AB6A2FDE2254110A61A27817F956
SHA-512:	EDEF5991FFE0C5B19C091C549FC9E99E29506416A404F612E792C51853A6C50ABE3CE2C191ABE5780E8AC70246C89F37A0AD9A8BC7A3090BCAC930A9890D0064
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 71%, Browse
Joe Sandbox View:	Filename: j3K4xUSpAP.exe, Detection: malicious, Browse Filename: 7Za8LyDkT3.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L............................v.......p............@..........................}...........................................................;..........(...8(...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B.zero........p.........................`................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.902965139121553
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LG3adrtYi2.exe
File size:	20'480 bytes
MD5:	de36bc2bfc3c67820ebd75c912fadc3d
SHA1:	38bd51e1052ae5bede5293827e87d6f494b204c8
SHA256:	2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16
SHA512:	efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef
SSDEEP:	384:5QpiPUjq7B0CiUAxIAtlYxJ4JVB00rXMSKRC:1PUu7cUyTYOvrX3
TLSH:	DE921906A95A539BE836187063B31D25A0797E72631D95CFFB8005791270EE4FA3335A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=...=...=...EX..=...E^..=...EH..=.......=...=...=...EO..=...EZ..=..Rich.=..................PE..L...;[Kf.................&.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402f0b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x664B5B3B [Mon May 20 14:16:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fb0ee5bafbb99ce467989526f0be15c6

Entrypoint Preview

Instruction
call 00007F9EE47DAA8Dh
jmp 00007F9EE47DA44Bh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F9EE47DA73Ch
cmp dword ptr [eax+10h], 03h
jne 00007F9EE47DA736h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F9EE47DA727h
cmp eax, 19930521h
je 00007F9EE47DA720h
cmp eax, 19930522h
je 00007F9EE47DA719h
cmp eax, 01994000h
jne 00007F9EE47DA717h
call 00007F9EE47DAAE2h
xor eax, eax
pop ebp
retn 0004h
push 00402F15h
call dword ptr [00404034h]
xor eax, eax
ret
int3
jmp dword ptr [00404108h]
push 00000014h
push 00405500h
call 00007F9EE47DA979h
push dword ptr [00406384h]
mov esi, dword ptr [004040B0h]
call esi
pop ecx
mov dword ptr [ebp-1Ch], eax
cmp eax, FFFFFFFFh
jne 00007F9EE47DA71Eh
push dword ptr [ebp+08h]
call dword ptr [004040B4h]
pop ecx
jmp 00007F9EE47DA779h
push 00000008h
call 00007F9EE47DAAA3h
pop ecx
and dword ptr [ebp-04h], 00000000h
push dword ptr [00406384h]
call esi
mov dword ptr [ebp-1Ch], eax
push dword ptr [00406380h]
call esi
pop ecx
pop ecx
mov dword ptr [ebp-20h], eax
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
push dword ptr [ebp+08h]
mov esi, dword ptr [004040CCh]
call esi

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x553c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1f4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5470	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2464	0x2600	c84b200cde39954c6014ca310200a419	False	0.5229235197368421	data	6.06274270454507	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x1bf2	0x1c00	a98880f3ac0c29ffd7f2d418a7f00788	False	0.4619140625	OpenPGP Secret Key	5.507400626408515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x38c	0x200	202a0f14ba4a024e6a35d5895669b769	False	0.060546875	data	0.35275948821577235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0x2a8	0x400	969c292b926b1e9b3c0ce2da6f58292a	False	0.3564453125	data	5.177428148708584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x286	0x400	f932fe66e3eea67c82e1853a32db63b5	False	0.4814453125	data	3.8079558155782713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7058	0x250	ASCII text, with CRLF line terminators	English	United States	0.5084459459459459

Imports

DLL	Import
SHLWAPI.dll	PathCombineW, StrCmpNW
MSVCR90.dll	_crt_debugger_hook, _controlfp_s, _invoke_watson, _except_handler4_common, _decode_pointer, _onexit, _lock, __dllonexit, _unlock, ?terminate@@YAXXZ, __set_app_type, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, wcsstr, memcpy, memset
KERNEL32.dll	IsDebuggerPresent, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, ExitThread, FindFirstFileW, lstrcmpW, FindNextFileW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, GetFileSize, CreateFileMappingA, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, CreateFileW, CloseHandle, CreateThread, ExitProcess, GetLastError, CreateMutexA, Sleep
USER32.dll	CharLowerW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegQueryValueExW
ole32.dll	CoInitializeEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2024 07:13:14.417252064 CEST	53	59055	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	01:12:52
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\LG3adrtYi2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LG3adrtYi2.exe"
Imagebase:	0xf00000
File size:	20'480 bytes
MD5 hash:	DE36BC2BFC3C67820EBD75C912FADC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	132
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F028F0 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 152
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 00F02966
memset.MSVCR90 ref: 00F0297C
PathCombineW.SHLWAPI(?,$recycle.bin,00F05428), ref: 00F02994
FindFirstFileW.KERNELBASE(?,?), ref: 00F029A8
lstrcmpW.KERNEL32(?,00F0542C), ref: 00F029D8
lstrcmpW.KERNEL32(?,00F05430), ref: 00F029EE
PathCombineW.SHLWAPI(?,$recycle.bin,?), ref: 00F02A0A
CharLowerW.USER32(?), ref: 00F02A37
PathCombineW.SHLWAPI(?,$recycle.bin,?), ref: 00F02ABC
Sleep.KERNELBASE(00000064), ref: 00F02ADC
Sleep.KERNELBASE(00000064), ref: 00F02AFC
FindNextFileW.KERNELBASE(000000FF,?), ref: 00F02B37
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00F02B4C

Strings

VolDrv, xrefs: 00F02B02
programdata, xrefs: 00F02912
system, xrefs: 00F0290B
program files, xrefs: 00F02919
boot, xrefs: 00F02904
$recycle.bin, xrefs: 00F02951, 00F0298C, 00F02A02, 00F02AB4
application data, xrefs: 00F02927
perflogs, xrefs: 00F0294A
appdata, xrefs: 00F02920
.exe, xrefs: 00F02A92
default, xrefs: 00F02935
sys, xrefs: 00F02AC2
msocache, xrefs: 00F0293C
win, xrefs: 00F02AE2
intel, xrefs: 00F0292E
config.msi, xrefs: 00F02943
windows, xrefs: 00F028FD, 00F02A6B

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: CombineFindPath$FileSleeplstrcmpmemset$ChangeCharCloseFirstLowerNextNotification
String ID: $recycle.bin$.exe$VolDrv$appdata$application data$boot$config.msi$default$intel$msocache$perflogs$program files$programdata$sys$system$win$windows
API String ID: 1364993765-4156905926
Opcode ID: ab0945d820e632936bae60a90bc98b989e357da764d84cae0a77d7b0450e52f7
Instruction ID: 09904657998d4cab0cce26422eef57c213196dc2c81a2495d6afe80777e8ac66
Opcode Fuzzy Hash: ab0945d820e632936bae60a90bc98b989e357da764d84cae0a77d7b0450e52f7
Instruction Fuzzy Hash: 445160F5D003189BCB60DFA0DC8DBDE7778BB45705F004498E60DA6181E7B59A88BF65

Function 00F02450 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00F02B26,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F0246C
GetFileSize.KERNEL32(000000FF,00000000), ref: 00F02488

Strings

.zero, xrefs: 00F0266A

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: File$CreateSize
String ID: .zero
API String ID: 2791376181-843663606
Opcode ID: 7130104fb7967785443edcd9f9e0ffec27e69c9240ed552d82138baaca4da3a3
Instruction ID: 6414156acb8ae0c49e5297e9a46b76dea2022fa65636eca591bb1b6bcbdc7e9f
Opcode Fuzzy Hash: 7130104fb7967785443edcd9f9e0ffec27e69c9240ed552d82138baaca4da3a3
Instruction Fuzzy Hash: E1A11D75E00209EFCB44CFA4D999BEEB7B5BF48300F208159EA01BB391D735A941EB64

Function 00F02830 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 00F02836
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00F02884
RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00F028B1
RegCloseKey.KERNELBASE(?), ref: 00F028CE

Strings

NoDrives, xrefs: 00F028A8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00F02877

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 318c24fd8e32464ea7323035022dcca64f08bdac4a482083a38e638454f44a86
Instruction ID: 90540e194b835126c4ad8a8aac4150746f9680fc58ea00d7fa3adbacf8ba64a8
Opcode Fuzzy Hash: 318c24fd8e32464ea7323035022dcca64f08bdac4a482083a38e638454f44a86
Instruction Fuzzy Hash: 5111C9B5E4020E9BDF14CFD4D949BEEB7B4FB04704F108109E611B6280D7B86A49EFA1

Function 00F01000 Relevance: 10.5, APIs: 7, Instructions: 28
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00F01009
CreateMutexA.KERNELBASE(00000000,00000000,00F04158), ref: 00F01018
GetLastError.KERNEL32 ref: 00F01021
ExitProcess.KERNEL32 ref: 00F01030
CoInitializeEx.OLE32(00000000,00000000), ref: 00F0103A
CreateThread.KERNELBASE(00000000,00000000,Function_00002B80,00000000,00000000,00000000), ref: 00F0104F
Sleep.KERNELBASE(0036EE80), ref: 00F0105A

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: CreateSleep$ErrorExitInitializeLastMutexProcessThread
String ID:
API String ID: 3564892718-0
Opcode ID: 711f2751efda8e34718a0bb5ae18ac0295e43dd6cc10b5e136793c760f42f3f4
Instruction ID: 337186cab3787d0b8c380a3398c2a866a65eb7fd336d0196c1de22360dd2204c
Opcode Fuzzy Hash: 711f2751efda8e34718a0bb5ae18ac0295e43dd6cc10b5e136793c760f42f3f4
Instruction Fuzzy Hash: BFF059B17D8308BBF6602BE0AD0FF593A64BB14F52F214404F74EF91D096E17844BA66

Function 00F027B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNELBASE(00F0278F), ref: 00F027BD
QueryDosDeviceW.KERNELBASE(00F0278F,?,00000208), ref: 00F027FC
StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 00F02814

Strings

\??\, xrefs: 00F02808

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 1eab72680176079021e839b1939af1716f453e71759fbb15dda0509d4c37df59
Instruction ID: 2b3afea1659f4bb0d0b228b2fc487a6c8317bb1523d4d3e314479ec551723f50
Opcode Fuzzy Hash: 1eab72680176079021e839b1939af1716f453e71759fbb15dda0509d4c37df59
Instruction Fuzzy Hash: AC014FB4D4020CDBCF64CF91CC4CAD977B8AB08714F00C0AAAA04A7280D7349AC8EFA4

Function 00F02B80 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F02830: GetLogicalDrives.KERNELBASE ref: 00F02836
Part of subcall function 00F02830: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00F02884
Part of subcall function 00F02830: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00F028B1
Part of subcall function 00F02830: RegCloseKey.KERNELBASE(?), ref: 00F028CE

ExitThread.KERNEL32 ref: 00F02BE1

Part of subcall function 00F02750: lstrcpyW.KERNEL32(?,?), ref: 00F027A3

Part of subcall function 00F028F0: memset.MSVCR90 ref: 00F02966
Part of subcall function 00F028F0: memset.MSVCR90 ref: 00F0297C
Part of subcall function 00F028F0: PathCombineW.SHLWAPI(?,$recycle.bin,00F05428), ref: 00F02994
Part of subcall function 00F028F0: FindFirstFileW.KERNELBASE(?,?), ref: 00F029A8
Part of subcall function 00F028F0: lstrcmpW.KERNEL32(?,00F0542C), ref: 00F029D8
Part of subcall function 00F028F0: lstrcmpW.KERNEL32(?,00F05430), ref: 00F029EE
Part of subcall function 00F028F0: PathCombineW.SHLWAPI(?,$recycle.bin,?), ref: 00F02A0A
Part of subcall function 00F028F0: FindNextFileW.KERNELBASE(000000FF,?), ref: 00F02B37
Part of subcall function 00F028F0: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00F02B4C

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: Find$CloseCombineFilePathlstrcmpmemset$ChangeDrivesExitFirstLogicalNextNotificationOpenQueryThreadValuelstrcpy
String ID:
API String ID: 1875947465-0
Opcode ID: e79ec75c39c374d86c037b17417a732be4d7f99033690ca3908142fa1cd02dc8
Instruction ID: 69ec05ff89933236fa20f3e3248fbb43ab362ca66f384da96a0207c96fe80963
Opcode Fuzzy Hash: e79ec75c39c374d86c037b17417a732be4d7f99033690ca3908142fa1cd02dc8
Instruction Fuzzy Hash: F3011DF5D04208EBCB44DFD4C94AADEB7B4AB88304F1480AAD50573281E6359A84FB65

Function 00F02750 Relevance: 1.3, APIs: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F027B0: GetDriveTypeW.KERNELBASE(00F0278F), ref: 00F027BD

lstrcpyW.KERNEL32(?,?), ref: 00F027A3

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: 056c50cf3e4e2c10da75ad62456f04dca6940e5f4fb4392b812c9c8a0e7fe87e
Instruction ID: c013acb83c3324fcb4cdbfa43a30fc0868afe70c838c50f5aa7b2576b81c8d77
Opcode Fuzzy Hash: 056c50cf3e4e2c10da75ad62456f04dca6940e5f4fb4392b812c9c8a0e7fe87e
Instruction Fuzzy Hash: E6F09075D0020CFBCB00DFA4D8457DDB7B4EF44310F00C0A8E9159B240E235AB18EB55

Non-executed Functions

Function 00F01D30 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4087205311.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.4087188543.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087220602.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4087236229.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_LG3adrtYi2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LG3adrtYi2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Windows Analysis Report
LG3adrtYi2.exe

Function 00F028F0 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 152
sleepfilestringCOMMON

Function 00F02450 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226
fileCOMMON

Function 00F02830 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Function 00F01000 Relevance: 10.5, APIs: 7, Instructions: 28
sleepsynchronizationthreadCOMMON

Function 00F027B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 00F02B80 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Function 00F02750 Relevance: 1.3, APIs: 1, Instructions: 32
stringCOMMON