Edit tour

Windows Analysis Report
root.cer

Overview

General Information

Sample name:	root.cer
Analysis ID:	1453562
MD5:	fad869056a02abc53b2630a36a15f2e5
SHA1:	7c66b1ea25d5fc4a0dfb07ef71335fc82c86bc2f
SHA256:	5cba3ff0cc1ebd5c1e6a302840ba8f747172e98d53c56e59d74bb96ea8983904

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 5892 cmdline: "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\user\Desktop\root.cer MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7040 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIDrzCCApegAwIBAgIUNEshgcQKRunD+9V56pIpwR/IAeowDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZUppYW5nMREwDwYDVQQHDAhIYW5nWmhvdTEMMAoGA1UECgwDQklDMQswCQYDVQQLDAJHTjEXMBUGA1UEAwwOQklDLUdOLVJPT1QtVjEwHhcNMjIxMDMxMTA1MTA0WhcNMzIxMDI4MTA1MTA0WjBnMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlSmlhbmcxETAPBgNVBAcMCEhhbmdaaG91MQwwCgYDVQQKDANCSUMxCzAJBgNVBAsMAkdOMRcwFQYDVQQDDA5CSUMtR04tUk9PVC1WMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwvp7Yhtgg7YKJxBArzEaA6WbuDYxFxMxLd5QwPohyLw9ucYr2tKBSpvJek3w1FY3Cj9BpzlVVHR4JkCkS7svOCZBPMC0Avrili3VefMeHeLIXqVUAuRfokxo6TEUraQrZLogD7AO9rTNrk18vJP0Zwy7qsrhlub+a2Gvu192H8WfCRYeolx+9yHVlKwYqyBo0FLGs4blRFm5MNIu1v/jGvncyblb+u8m9n+4UhCUmSMg2YHzz8MOlbLMPvjl6H/AfflJlsECGX+ZaJm9FX6bCbvVBNTzIKIHKNsDkCDgNVrPecFffk6Sg7+OUvccddYK+v7c3LASeoAtGJ6Rd/xUUCAwEAAaNTMFEwHQYDVR0OBBYEFCDMiRKvNCP1HeiFv0jbZdtV8zMJMB8GA1UdIwQYMBaAFCDMiRKvNCP1HeiFv0jbZdtV8zMJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIT1R20gfOgXMiXOJ0e3lwE2NxbCJIVdk4WHAIe03T9QWi9GDe88CesAHtpM7Ua5pi4v+2W3y5ybCOLAH2fIfpFGKFMfFdkSc+UXlSuLBiBYwUUzIIenLl+z3Ak/mc/VLDrg4gULRhpLHSM7at/EOtPKu5yOPQQ2wp0sHpDTekp1ULyy6bm2OdEnko8vObq2Q8G2Ae7DQ8XnTus1DhSR3m2iON/FkeDkeHzgXUTEOa4kwwHpWldFBBVyV1iZy89SKbu7PnJ1BNFJ+MlkxnAFh3E/AWD1Go+4TcLieRyJ/UjfZZlb3bFQGohBExNfO4+xg9JQ/7UOJ3SQonhtaZMLWas= 197328 MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Joe Sandbox Signatures

• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.winCER@3/2@0/12

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Request

Source: C:\Windows\System32\rundll32.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\user\Desktop\root.cer

Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\user\Desktop\root.cer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIDrzCCApegAwIBAgIUNEshgcQKRunD+9V56pIpwR/IAeowDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZUppYW5nMREwDwYDVQQHDAhIYW5nWmhvdTEMMAoGA1UECgwDQklDMQswCQYDVQQLDAJHTjEXMBUGA1UEAwwOQklDLUdOLVJPT1QtVjEwHhcNMjIxMDMxMTA1MTA0WhcNMzIxMDI4MTA1MTA0WjBnMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlSmlhbmcxETAPBgNVBAcMCEhhbmdaaG91MQwwCgYDVQQKDANCSUMxCzAJBgNVBAsMAkdOMRcwFQYDVQQDDA5CSUMtR04tUk9PVC1WMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwvp7Yhtgg7YKJxBArzEaA6WbuDYxFxMxLd5QwPohyLw9ucYr2tKBSpvJek3w1FY3Cj9BpzlVVHR4JkCkS7svOCZBPMC0Avrili3VefMeHeLIXqVUAuRfokxo6TEUraQrZLogD7AO9rTNrk18vJP0Zwy7qsrhlub+a2Gvu192H8WfCRYeolx+9yHVlKwYqyBo0FLGs4blRFm5MNIu1v/jGvncyblb+u8m9n+4UhCUmSMg2YHzz8MOlbLMPvjl6H/AfflJlsECGX+ZaJm9FX6bCbvVBNTzIKIHKNsDkCDgNVrPecFffk6Sg7+OUvccddYK+v7c3LASeoAtGJ6Rd/xUUCAwEAAaNTMFEwHQYDVR0OBBYEFCDMiRKvNCP1HeiFv0jbZdtV8zMJMB8GA1UdIwQYMBaAFCDMiRKvNCP1HeiFv0jbZdtV8zMJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIT1R20gfOgXMiXOJ0e3lwE2NxbCJIVdk4WHAIe03T9QWi9GDe88CesAHtpM7Ua5pi4v+2W3y5ybCOLAH2fIfpFGKFMfFdkSc+UXlSuLBiBYwUUzIIenLl+z3Ak/mc/VLDrg4gULRhpLHSM7at/EOtPKu5yOPQQ2wp0sHpDTekp1ULyy6bm2OdEnko8vObq2Q8G2Ae7DQ8XnTus1DhSR3m2iON/FkeDkeHzgXUTEOa4kwwHpWldFBBVyV1iZy89SKbu7PnJ1BNFJ+MlkxnAFh3E/AWD1Go+4TcLieRyJ/UjfZZlb3bFQGohBExNfO4+xg9JQ/7UOJ3SQonhtaZMLWas= 197328
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIDrzCCApegAwIBAgIUNEshgcQKRunD+9V56pIpwR/IAeowDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZUppYW5nMREwDwYDVQQHDAhIYW5nWmhvdTEMMAoGA1UECgwDQklDMQswCQYDVQQLDAJHTjEXMBUGA1UEAwwOQklDLUdOLVJPT1QtVjEwHhcNMjIxMDMxMTA1MTA0WhcNMzIxMDI4MTA1MTA0WjBnMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlSmlhbmcxETAPBgNVBAcMCEhhbmdaaG91MQwwCgYDVQQKDANCSUMxCzAJBgNVBAsMAkdOMRcwFQYDVQQDDA5CSUMtR04tUk9PVC1WMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwvp7Yhtgg7YKJxBArzEaA6WbuDYxFxMxLd5QwPohyLw9ucYr2tKBSpvJek3w1FY3Cj9BpzlVVHR4JkCkS7svOCZBPMC0Avrili3VefMeHeLIXqVUAuRfokxo6TEUraQrZLogD7AO9rTNrk18vJP0Zwy7qsrhlub+a2Gvu192H8WfCRYeolx+9yHVlKwYqyBo0FLGs4blRFm5MNIu1v/jGvncyblb+u8m9n+4UhCUmSMg2YHzz8MOlbLMPvjl6H/AfflJlsECGX+ZaJm9FX6bCbvVBNTzIKIHKNsDkCDgNVrPecFffk6Sg7+OUvccddYK+v7c3LASeoAtGJ6Rd/xUUCAwEAAaNTMFEwHQYDVR0OBBYEFCDMiRKvNCP1HeiFv0jbZdtV8zMJMB8GA1UdIwQYMBaAFCDMiRKvNCP1HeiFv0jbZdtV8zMJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIT1R20gfOgXMiXOJ0e3lwE2NxbCJIVdk4WHAIe03T9QWi9GDe88CesAHtpM7Ua5pi4v+2W3y5ybCOLAH2fIfpFGKFMfFdkSc+UXlSuLBiBYwUUzIIenLl+z3Ak/mc/VLDrg4gULRhpLHSM7at/EOtPKu5yOPQQ2wp0sHpDTekp1ULyy6bm2OdEnko8vObq2Q8G2Ae7DQ8XnTus1DhSR3m2iON/FkeDkeHzgXUTEOa4kwwHpWldFBBVyV1iZy89SKbu7PnJ1BNFJ+MlkxnAFh3E/AWD1Go+4TcLieRyJ/UjfZZlb3bFQGohBExNfO4+xg9JQ/7UOJ3SQonhtaZMLWas= 197328

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\System32\rundll32.exe

Window found: window name: SysTabControl32

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Windows\system32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\rundll32.exe TID: 6088

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIDrzCCApegAwIBAgIUNEshgcQKRunD+9V56pIpwR/IAeowDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZUppYW5nMREwDwYDVQQHDAhIYW5nWmhvdTEMMAoGA1UECgwDQklDMQswCQYDVQQLDAJHTjEXMBUGA1UEAwwOQklDLUdOLVJPT1QtVjEwHhcNMjIxMDMxMTA1MTA0WhcNMzIxMDI4MTA1MTA0WjBnMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlSmlhbmcxETAPBgNVBAcMCEhhbmdaaG91MQwwCgYDVQQKDANCSUMxCzAJBgNVBAsMAkdOMRcwFQYDVQQDDA5CSUMtR04tUk9PVC1WMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwvp7Yhtgg7YKJxBArzEaA6WbuDYxFxMxLd5QwPohyLw9ucYr2tKBSpvJek3w1FY3Cj9BpzlVVHR4JkCkS7svOCZBPMC0Avrili3VefMeHeLIXqVUAuRfokxo6TEUraQrZLogD7AO9rTNrk18vJP0Zwy7qsrhlub+a2Gvu192H8WfCRYeolx+9yHVlKwYqyBo0FLGs4blRFm5MNIu1v/jGvncyblb+u8m9n+4UhCUmSMg2YHzz8MOlbLMPvjl6H/AfflJlsECGX+ZaJm9FX6bCbvVBNTzIKIHKNsDkCDgNVrPecFffk6Sg7+OUvccddYK+v7c3LASeoAtGJ6Rd/xUUCAwEAAaNTMFEwHQYDVR0OBBYEFCDMiRKvNCP1HeiFv0jbZdtV8zMJMB8GA1UdIwQYMBaAFCDMiRKvNCP1HeiFv0jbZdtV8zMJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIT1R20gfOgXMiXOJ0e3lwE2NxbCJIVdk4WHAIe03T9QWi9GDe88CesAHtpM7Ua5pi4v+2W3y5ybCOLAH2fIfpFGKFMfFdkSc+UXlSuLBiBYwUUzIIenLl+z3Ak/mc/VLDrg4gULRhpLHSM7at/EOtPKu5yOPQQ2wp0sHpDTekp1ULyy6bm2OdEnko8vObq2Q8G2Ae7DQ8XnTus1DhSR3m2iON/FkeDkeHzgXUTEOa4kwwHpWldFBBVyV1iZy89SKbu7PnJ1BNFJ+MlkxnAFh3E/AWD1Go+4TcLieRyJ/UjfZZlb3bFQGohBExNfO4+xg9JQ/7UOJ3SQonhtaZMLWas= 197328

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "c:\windows\system32\rundll32.exe" c:\windows\system32\cryptext.dll,cryptextaddcermachineonlyandhwnd miidrzccapegawibagiuneshgcqkrund+9v56pipwr/iaeowdqyjkozihvcnaqelbqawzzelmakga1uebhmcq04xetapbgnvbagmcfpozuppyw5nmrewdwydvqqhdahiyw5nwmhvdtemmaoga1uecgwdqkldmqswcqydvqqldajhtjexmbuga1ueawwoqkldludolvjpt1qtvjewhhcnmjixmdmxmta1mta0whcnmzixmdi4mta1mta0wjbnmqswcqydvqqgewjdtjerma8ga1uecawiwmhlsmlhbmcxetapbgnvbacmcehhbmdaag91mqwwcgydvqqkdancsumxczajbgnvbasmakdomrcwfqydvqqdda5csumtr04tuk9pvc1wmtccasiwdqyjkozihvcnaqebbqadggepadccaqocggebamwvp7yhtgg7ykjxbarzeaa6wbudyxfxmxld5qwpohylw9ucyr2tkbspvjek3w1fy3cj9bpzlvvhr4jkcks7svoczbpmc0avrili3vefmehelixqvuaurfokxo6teuraqrzlogd7ao9rtnrk18vjp0zwy7qsrhlub+a2gvu192h8wfcryeolx+9yhvlkwyqybo0flgs4blrfm5mniu1v/jgvncyblb+u8m9n+4uhcumsmg2yhzz8molblmpvjl6h/affljlsecgx+zajm9fx6bcbvvbntzikihknsdkcdgnvrpecfffk6sg7+ouvccddyk+v7c3laseoatgj6rd/xuucaweaaantmfewhqydvr0obbyefcdmirkvncp1heifv0jbzdtv8zmjmb8ga1udiwqymbaafcdmirkvncp1heifv0jbzdtv8zmjma8ga1udeweb/wqfmambaf8wdqyjkozihvcnaqelbqadggebait1r20gfogxmixoj0e3lwe2nxbcjivdk4whaie03t9qwi9gde88cesahtpm7ua5pi4v+2w3y5ybcolah2fifpfgkfmffdksc+uxlsulbibywuuziienll+z3ak/mc/vldrg4gulrhplhsm7at/eotpku5yopqq2wp0shpdtekp1ulyy6bm2odenko8vobq2q8g2ae7dq8xntus1dhsr3m2ion/fkedkehzgxuteoa4kwwhpwldfbbvyv1izy89skbu7pnj1bnfj+mlkxnafh3e/awd1go+4tclieryj/ujfzzlb3bfqgohbexnfo4+xg9jq/7uoj3sqonhtazmlwas= 197328
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "c:\windows\system32\rundll32.exe" c:\windows\system32\cryptext.dll,cryptextaddcermachineonlyandhwnd miidrzccapegawibagiuneshgcqkrund+9v56pipwr/iaeowdqyjkozihvcnaqelbqawzzelmakga1uebhmcq04xetapbgnvbagmcfpozuppyw5nmrewdwydvqqhdahiyw5nwmhvdtemmaoga1uecgwdqkldmqswcqydvqqldajhtjexmbuga1ueawwoqkldludolvjpt1qtvjewhhcnmjixmdmxmta1mta0whcnmzixmdi4mta1mta0wjbnmqswcqydvqqgewjdtjerma8ga1uecawiwmhlsmlhbmcxetapbgnvbacmcehhbmdaag91mqwwcgydvqqkdancsumxczajbgnvbasmakdomrcwfqydvqqdda5csumtr04tuk9pvc1wmtccasiwdqyjkozihvcnaqebbqadggepadccaqocggebamwvp7yhtgg7ykjxbarzeaa6wbudyxfxmxld5qwpohylw9ucyr2tkbspvjek3w1fy3cj9bpzlvvhr4jkcks7svoczbpmc0avrili3vefmehelixqvuaurfokxo6teuraqrzlogd7ao9rtnrk18vjp0zwy7qsrhlub+a2gvu192h8wfcryeolx+9yhvlkwyqybo0flgs4blrfm5mniu1v/jgvncyblb+u8m9n+4uhcumsmg2yhzz8molblmpvjl6h/affljlsecgx+zajm9fx6bcbvvbntzikihknsdkcdgnvrpecfffk6sg7+ouvccddyk+v7c3laseoatgj6rd/xuucaweaaantmfewhqydvr0obbyefcdmirkvncp1heifv0jbzdtv8zmjmb8ga1udiwqymbaafcdmirkvncp1heifv0jbzdtv8zmjma8ga1udeweb/wqfmambaf8wdqyjkozihvcnaqelbqadggebait1r20gfogxmixoj0e3lwe2nxbcjivdk4whaie03t9qwi9gde88cesahtpm7ua5pi4v+2w3y5ybcolah2fifpfgkfmffdksc+uxlsulbibywuuziienll+z3ak/mc/vldrg4gulrhplhsm7at/eotpku5yopqq2wp0shpdtekp1ulyy6bm2odenko8vobq2q8g2ae7dq8xntus1dhsr3m2ion/fkedkehzgxuteoa4kwwhpwldfbbvyv1izy89skbu7pnj1bnfj+mlkxnafh3e/awd1go+4tclieryj/ujfzzlb3bfqgohbexnfo4+xg9jq/7uoj3sqonhtazmlwas= 197328

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
root.cer	0%	ReversingLabs
root.cer	0%	Virustotal		Browse

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.184.221.240	unknown	European Union		15133	EDGECASTUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1453562
Start date and time:	2024-06-07 09:20:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	root.cer
Detection:	CLEAN
Classification:	clean1.winCER@3/2@0/12
Cookbook Comments:	Found application associated with file extension: .cer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:
MD5:	DCC44B949FD12C52204A6E696DB71CEB
SHA1:	E601E01116E11C9251C3C2A701097A274AECBDDA
SHA-256:	80BF40BCAB30FCC29D4F903A89E8919ACA74C54B7DD2B2D37CE74F89A5DED619
SHA-512:	E5BD346011AF223A54A6A59DC78604F6D45C82D52DA397E20327EB0351B6B702A6B0C8139337F1107EF57922A82CB74FE9BFFB190272EC440D35B9D90DE04EB6
Malicious:	false
Reputation:	unknown
Preview:	p...... ........T.C;....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PEM certificate
Entropy (8bit):	5.884184096990009
TrID:	Internet Security Certificate (39527/1) 100.00%
File name:	root.cer
File size:	1'338 bytes
MD5:	fad869056a02abc53b2630a36a15f2e5
SHA1:	7c66b1ea25d5fc4a0dfb07ef71335fc82c86bc2f
SHA256:	5cba3ff0cc1ebd5c1e6a302840ba8f747172e98d53c56e59d74bb96ea8983904
SHA512:	acd85465b0ae1f9ba551a9319a5f100e82c355af207cdae26dd5ebeb66adc7caa715017c7eeb5eaeb6ecf95135fd6ce46b6d1f73e53bbd8efd43effec4ecf700
SSDEEP:	24:Lrcw940ma85lz0knknTR0Mx3j2ZMSVjaAkZgEo0xhhIeQjGQJ:LrcwS0mjaknkTiMEZMSVGAP0xhM6E
TLSH:	DA21B3FB9F123C48A0F7C189CF852A14ECF653A32CC9B8B2AD0B3C028F464AA3545145
File Content Preview:	-----BEGIN CERTIFICATE-----.MIIDrzCCApegAwIBAgIUNEshgcQKRunD+9V56pIpwR/IAeowDQYJKoZIhvcNAQEL.BQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZUppYW5nMREwDwYDVQQHDAhI.YW5nWmhvdTEMMAoGA1UECgwDQklDMQswCQYDVQQLDAJHTjEXMBUGA1UEAwwOQklD.LUdOLVJPT1QtVjEwHhcNMjIxMDMxMTA1

File Icon


Icon Hash:	8292cc9eba9a1918

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report root.cer

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Windows Analysis Report
root.cer