Windows Analysis Report
Wo0CkmOz64.exe

ID:	1459120
Product:	CloudBasic
Start time:	21:17:12
Start date:	18.06.2024
Sample:	Wo0CkmOz64.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	06b81c8edd7f620513a06e3a5cc11483
SHA1:	af4ffbf3510bb2e86387d26a6de309736548b340
SHA256:	65082d1a97a4636a529d3a52248ec1eed728fa78c1a3b3e34986e0378b393f1c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: Wo0CkmOz64.exe

Avira: detected

Source: Wo0CkmOz64.exe

ReversingLabs: Detection: 71%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: Wo0CkmOz64.exe

Joe Sandbox ML: detected

Compliance

Source: Wo0CkmOz64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Msajjuwub.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 74130c7c-3821-4585-8a44-d82d54fb894c<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedMsajjuwub.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp

Networking

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 80.76.49.148:7702

Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148
Source: unknown	TCP traffic detected without corresponding DNS query: 80.76.49.148

Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Source: Wo0CkmOz64.exe, Program.cs

Large array initialization: Main: array initializer size 849520

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD346772D3		0_2_00007FFD346772D3
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD346743B0		0_2_00007FFD346743B0
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD346734D3		0_2_00007FFD346734D3
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD346740FA		0_2_00007FFD346740FA
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD346729FA		0_2_00007FFD346729FA
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD34673387		0_2_00007FFD34673387
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD347713D4		0_2_00007FFD347713D4
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD347705D4		0_2_00007FFD347705D4

Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsajjuwub.dll" vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe, 00000000.00000000.2130169567.0000000000A54000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDniblceid.exe" vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsajjuwub.dll" vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe
Source: Wo0CkmOz64.exe	Binary or memory string: OriginalFilenameDniblceid.exe" vs Wo0CkmOz64.exe

Source: Wo0CkmOz64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Wo0CkmOz64.exe, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Mutant created: \Sessions\1\BaseNamedObjects\f1bf4db99626c2f2

Source: Wo0CkmOz64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Wo0CkmOz64.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wo0CkmOz64.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Section loaded: mswsock.dll			Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Wo0CkmOz64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Wo0CkmOz64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Wo0CkmOz64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Msajjuwub.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 74130c7c-3821-4585-8a44-d82d54fb894c<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedMsajjuwub.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Wo0CkmOz64.exe, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.1bba0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.13281328.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3380383003.000000001BBA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wo0CkmOz64.exe PID: 2752, type: MEMORYSTR

Source: Wo0CkmOz64.exe

Static PE information: 0xC8E3E1A2 [Tue Oct 20 00:00:34 2076 UTC]

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD3467BDDA push es; iretd		0_2_00007FFD3467BDDF
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD34670E55 push ebx; ret		0_2_00007FFD34670E6A
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Code function: 0_2_00007FFD347739B8 pushad ; retf		0_2_00007FFD347739B9

Source: Wo0CkmOz64.exe

Static PE information: section name: .text entropy: 7.999487700871465

Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, Y2lLZcbSYWt9UP9rF7.cs	High entropy of concatenated method names: 'OPE0mL6RM', 'amhzaWG7D', 'xSK4X3fqaj', 'weU44KmgRV', 'x7X4KrV49G', 'LLS4evHfen', 'z3U4darRRK', 'Nlr4m7yH7I', 'wXL4JU8I4P', 'PZW4Y9DtVn'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'ibP1P0u5rrp3VJbKq47'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, gAeOsta063lyJEOOAwv.cs	High entropy of concatenated method names: 'EDKs6mxP25', 'e2FsLaSBvn', 'Q2ksTi1BIb', 'ND1s5Juqq7', 'sIbs8MwiEE', 'YqVs1vbi9w', 'sbusAYPU96', 'XXxhpSv9Dy', 'v9gsH604Ok', 'l68suULumv'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	High entropy of concatenated method names: 'SQQ9SLDtcCWavixBCma', 'EO6PV9D7VYR6pQw11Me', 'xmbaCCGGr7', 'NsKJigDPaVWkLp0vcVV', 'rSxuMPDndnPj8eZrpdR', 'QGTD51DWCjyUP69NmQk', 'isk9ngDUqv54HqZOvx8', 'wXgJa5DwvBWhCUB4dHF', 'T4WiVKDZR5U4nsojT33', 'FFHa4ADRcIhMkabc29V'
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, W4sJouaB4OvhNNX2KbG.cs	High entropy of concatenated method names: 'DHbaFapw8d', 'YBiaPYQbOS', 'nQManmQEs3', 'WnjaWkekEO', 'QE8aUmC191', 'pqeawkLeP0', 'xCIaZAU4y3', 'DdnaR0f1KN', 'xx6abZpsSB', 'i0yakyWOe3'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, Y2lLZcbSYWt9UP9rF7.cs	High entropy of concatenated method names: 'OPE0mL6RM', 'amhzaWG7D', 'xSK4X3fqaj', 'weU44KmgRV', 'x7X4KrV49G', 'LLS4evHfen', 'z3U4darRRK', 'Nlr4m7yH7I', 'wXL4JU8I4P', 'PZW4Y9DtVn'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'ibP1P0u5rrp3VJbKq47'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, gAeOsta063lyJEOOAwv.cs	High entropy of concatenated method names: 'EDKs6mxP25', 'e2FsLaSBvn', 'Q2ksTi1BIb', 'ND1s5Juqq7', 'sIbs8MwiEE', 'YqVs1vbi9w', 'sbusAYPU96', 'XXxhpSv9Dy', 'v9gsH604Ok', 'l68suULumv'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs	High entropy of concatenated method names: 'SQQ9SLDtcCWavixBCma', 'EO6PV9D7VYR6pQw11Me', 'xmbaCCGGr7', 'NsKJigDPaVWkLp0vcVV', 'rSxuMPDndnPj8eZrpdR', 'QGTD51DWCjyUP69NmQk', 'isk9ngDUqv54HqZOvx8', 'wXgJa5DwvBWhCUB4dHF', 'T4WiVKDZR5U4nsojT33', 'FFHa4ADRcIhMkabc29V'
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, W4sJouaB4OvhNNX2KbG.cs	High entropy of concatenated method names: 'DHbaFapw8d', 'YBiaPYQbOS', 'nQManmQEs3', 'WnjaWkekEO', 'QE8aUmC191', 'pqeawkLeP0', 'xCIaZAU4y3', 'DdnaR0f1KN', 'xx6abZpsSB', 'i0yakyWOe3'

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Memory allocated: 1080000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Memory allocated: 1AC10000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Window / User API: threadDelayed 3907			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe	Window / User API: threadDelayed 6028			Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4900	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4156	Thread sleep count: 3907 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4156	Thread sleep count: 6028 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Wo0CkmOz64.exe, 00000000.00000002.3379823672.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Queries volume information: C:\Users\user\Desktop\Wo0CkmOz64.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Wo0CkmOz64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.1b690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.1b690000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.130312b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.12fdae80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3379202075.000000001B690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.1b690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.1b690000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.130312b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.12fdae80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3379202075.000000001B690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY