Edit tour

Windows Analysis Report
mG31YklE0k.exe

Overview

General Information

Sample name:	mG31YklE0k.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	a63073dc84ad47517f9b50c4270b274888fda0536381f04259418b25e96407c9
Analysis ID:	1467030
MD5:	8b6caa03bd794cf1d3d61493383414f0
SHA1:	a15fa197e0c22aad50b20dacb48abf6d6f81ed9c
SHA256:	a63073dc84ad47517f9b50c4270b274888fda0536381f04259418b25e96407c9
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a control a shell (cmd.exe)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Suspicious PDB

Yara signature match

Classification

Process Tree

System is w10x64

mG31YklE0k.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\mG31YklE0k.exe" MD5: 8B6CAA03BD794CF1D3D61493383414F0)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7396 cmdline: cmd.exe /C "chcp 65001 > NUL & wmic os get Name,OSArchitecture /format:rawxml" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7448 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

WMIC.exe (PID: 7464 cmdline: wmic os get Name,OSArchitecture /format:rawxml MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7500 cmdline: cmd.exe /C "chcp 65001 > NUL & wmic cpu get Name /format:rawxml" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7552 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

WMIC.exe (PID: 7568 cmdline: wmic cpu get Name /format:rawxml MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7604 cmdline: cmd.exe /C "chcp 65001 > NUL & wmic os get TotalVisibleMemorySize /format:rawxml" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7648 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

WMIC.exe (PID: 7664 cmdline: wmic os get TotalVisibleMemorySize /format:rawxml MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mG31YklE0k.exe	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security
mG31YklE0k.exe	Windows_Trojan_MicroBackdoor_46f2e5fd	unknown	unknown	0x600:$a1: cmd.exe /C "%s%s" 0x570:$a2: %s\|%s\|%d\|%s\|%d\|%d 0x598:$a3: {{{$%.8x}}} 0x5d0:$a5: chcp 65001 > NUL & 0x7a8:$a6: CONNECT %s:%d HTTP/1.0

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security
00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_MicroBackdoor_46f2e5fd	unknown	unknown	0x200:$a1: cmd.exe /C "%s%s" 0x170:$a2: %s\|%s\|%d\|%s\|%d\|%d 0x198:$a3: {{{$%.8x}}} 0x1d0:$a5: chcp 65001 > NUL & 0x3a8:$a6: CONNECT %s:%d HTTP/1.0
00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security
00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_MicroBackdoor_46f2e5fd	unknown	unknown	0x200:$a1: cmd.exe /C "%s%s" 0x170:$a2: %s\|%s\|%d\|%s\|%d\|%d 0x198:$a3: {{{$%.8x}}} 0x1d0:$a5: chcp 65001 > NUL & 0x3a8:$a6: CONNECT %s:%d HTTP/1.0
Process Memory Space: mG31YklE0k.exe PID: 7272	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.mG31YklE0k.exe.7ff792320000.0.unpack	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security
0.0.mG31YklE0k.exe.7ff792320000.0.unpack	Windows_Trojan_MicroBackdoor_46f2e5fd	unknown	unknown	0x600:$a1: cmd.exe /C "%s%s" 0x570:$a2: %s\|%s\|%d\|%s\|%d\|%d 0x598:$a3: {{{$%.8x}}} 0x5d0:$a5: chcp 65001 > NUL & 0x7a8:$a6: CONNECT %s:%d HTTP/1.0
0.2.mG31YklE0k.exe.7ff792320000.0.unpack	JoeSecurity_SuspiciousPDB	Yara detected Suspicious PDB	Joe Security
0.2.mG31YklE0k.exe.7ff792320000.0.unpack	Windows_Trojan_MicroBackdoor_46f2e5fd	unknown	unknown	0x600:$a1: cmd.exe /C "%s%s" 0x570:$a2: %s\|%s\|%d\|%s\|%d\|%d 0x598:$a3: {{{$%.8x}}} 0x5d0:$a5: chcp 65001 > NUL & 0x7a8:$a6: CONNECT %s:%d HTTP/1.0

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792324780 lstrcmpA,CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptImportPublicKeyInfo,CryptExportKey,LocalAlloc,CryptExportKey,GetLastError,LocalFree,CryptDestroyKey,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,	0_2_00007FF792324780
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792323990 CryptHashCertificate,LocalAlloc,LocalFree,recv,WSAGetLastError,GetLastError,closesocket,	0_2_00007FF792323990
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792323490 CryptHashCertificate,LocalAlloc,LocalFree,recv,WSAGetLastError,GetLastError,	0_2_00007FF792323490
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792324920 CryptAcquireContextA,GetLastError,CryptAcquireContextA,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,	0_2_00007FF792324920
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792324530 CryptAcquireContextA,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,	0_2_00007FF792324530
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792324130 CryptQueryObject,CertGetNameStringW,CertNameToStrW,CertNameToStrW,CryptHashCertificate,wsprintfA,CertFreeCertificateContext,GetLastError,CertFreeCertificateContext,GetLastError,	0_2_00007FF792324130
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923243C0 CryptAcquireContextA,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,GetLastError,	0_2_00007FF7923243C0
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923245D0 lstrcmpA,CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptImportPublicKeyInfo,LocalAlloc,CryptEncrypt,LocalFree,CryptDestroyKey,GetLastError,LocalFree,CryptDestroyKey,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,	0_2_00007FF7923245D0
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF79232B068 CryptCreateHash,	0_2_00007FF79232B068
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF79232B070 CryptHashData,	0_2_00007FF79232B070
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF79232B0D8 CryptQueryObject,CryptImportPublicKeyInfo,CryptHashCertificate,	0_2_00007FF79232B0D8
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923244E0 CryptGetHashParam,	0_2_00007FF7923244E0
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF79232B0E8 CryptImportPublicKeyInfo,	0_2_00007FF79232B0E8
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF79232B0F0 CryptHashCertificate,	0_2_00007FF79232B0F0
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923245C0 CryptHashData,	0_2_00007FF7923245C0

Source: mG31YklE0k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\vs2019\source\repos\backdoor\x64\Release\backdoor.pdb&& source: mG31YklE0k.exe
Source:	Binary string: C:\Users\vs2019\source\repos\backdoor\x64\Release\backdoor.pdb source: mG31YklE0k.exe

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792322330 GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,GetLastError,MultiByteToWideChar,LocalAlloc,GetLastError,MultiByteToWideChar,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,FindClose,GetLastError,LocalFree,

0_2_00007FF792322330

Source: C:\Users\user\Desktop\mG31YklE0k.exe

0_2_00007FF792322330

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 47.236.8.208:28115

Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208
Source: unknown	TCP traffic detected without corresponding DNS query: 47.236.8.208

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792323990 CryptHashCertificate,LocalAlloc,LocalFree,recv,WSAGetLastError,GetLastError,closesocket,

0_2_00007FF792323990

System Summary

Malicious sample detected (through community Yara rule)

Source: mG31YklE0k.exe, type: SAMPLE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd Author: unknown
Source: 0.0.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd Author: unknown
Source: 0.2.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd Author: unknown
Source: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd Author: unknown
Source: 00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd Author: unknown

Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792324780	0_2_00007FF792324780
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792323990	0_2_00007FF792323990
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792321B50	0_2_00007FF792321B50
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923243C0	0_2_00007FF7923243C0
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792322970	0_2_00007FF792322970
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792322620	0_2_00007FF792322620
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792325430	0_2_00007FF792325430

Source: mG31YklE0k.exe	Binary or memory string: OriginalFilename vs mG31YklE0k.exe
Source: mG31YklE0k.exe, 00000000.00000000.1316429199.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAccessEnum.exeP vs mG31YklE0k.exe
Source: mG31YklE0k.exe, 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAccessEnum.exeP vs mG31YklE0k.exe
Source: mG31YklE0k.exe	Binary or memory string: OriginalFilenameAccessEnum.exeP vs mG31YklE0k.exe

Source: mG31YklE0k.exe, type: SAMPLE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd reference_sample = fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21, os = windows, severity = x86, creation_date = 2022-03-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.MicroBackdoor, fingerprint = d4e410b9c36c1d5206f5d17190ef4e5fd4b4e4d40acad703775aed085a08ef7c, id = 46f2e5fd-edea-4321-b38c-7478b47f054b, last_modified = 2022-04-12
Source: 0.0.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd reference_sample = fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21, os = windows, severity = x86, creation_date = 2022-03-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.MicroBackdoor, fingerprint = d4e410b9c36c1d5206f5d17190ef4e5fd4b4e4d40acad703775aed085a08ef7c, id = 46f2e5fd-edea-4321-b38c-7478b47f054b, last_modified = 2022-04-12
Source: 0.2.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd reference_sample = fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21, os = windows, severity = x86, creation_date = 2022-03-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.MicroBackdoor, fingerprint = d4e410b9c36c1d5206f5d17190ef4e5fd4b4e4d40acad703775aed085a08ef7c, id = 46f2e5fd-edea-4321-b38c-7478b47f054b, last_modified = 2022-04-12
Source: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd reference_sample = fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21, os = windows, severity = x86, creation_date = 2022-03-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.MicroBackdoor, fingerprint = d4e410b9c36c1d5206f5d17190ef4e5fd4b4e4d40acad703775aed085a08ef7c, id = 46f2e5fd-edea-4321-b38c-7478b47f054b, last_modified = 2022-04-12
Source: 00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_MicroBackdoor_46f2e5fd reference_sample = fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21, os = windows, severity = x86, creation_date = 2022-03-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.MicroBackdoor, fingerprint = d4e410b9c36c1d5206f5d17190ef4e5fd4b4e4d40acad703775aed085a08ef7c, id = 46f2e5fd-edea-4321-b38c-7478b47f054b, last_modified = 2022-04-12

Source: classification engine

Classification label: mal56.evad.winEXE@23/5@0/1

Source: C:\Users\user\Desktop\mG31YklE0k.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Mutant created: \Sessions\1\BaseNamedObjects\30D78F9B-C56E-472C-8A29-E91111115
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Users\user\Desktop\mG31YklE0k.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp13AC.tmp

Jump to behavior

Source: mG31YklE0k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mG31YklE0k.exe "C:\Users\user\Desktop\mG31YklE0k.exe"
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get Name,OSArchitecture /format:rawxml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Name,OSArchitecture /format:rawxml
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic cpu get Name /format:rawxml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name /format:rawxml
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get TotalVisibleMemorySize /format:rawxml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get TotalVisibleMemorySize /format:rawxml
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get Name,OSArchitecture /format:rawxml"	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic cpu get Name /format:rawxml"	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get TotalVisibleMemorySize /format:rawxml"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Name,OSArchitecture /format:rawxml	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name /format:rawxml	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get TotalVisibleMemorySize /format:rawxml	Jump to behavior

Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: mG31YklE0k.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mG31YklE0k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mG31YklE0k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mG31YklE0k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\vs2019\source\repos\backdoor\x64\Release\backdoor.pdb&& source: mG31YklE0k.exe
Source:	Binary string: C:\Users\vs2019\source\repos\backdoor\x64\Release\backdoor.pdb source: mG31YklE0k.exe

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792323D20 _vscprintf,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,vsprintf,lstrlenA,LocalFree,

0_2_00007FF792323D20

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: GetModuleHandleA,GetModuleFileNameA,StrStrA,CreateThread,CloseHandle,

0_2_00007FF792324080

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-1881

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\mG31YklE0k.exe

0_2_00007FF792322330

Source: C:\Users\user\Desktop\mG31YklE0k.exe

0_2_00007FF792322330

Source: mG31YklE0k.exe, 00000000.00000002.2555279121.0000024AB1E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mG31YklE0k.exe, 00000000.00000002.2555279121.0000024AB1E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792326740 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF792326740

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792323D20 _vscprintf,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,vsprintf,lstrlenA,LocalFree,

0_2_00007FF792323D20

Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792322F00 CreateMutexA,CreateMutexExA,GetLastError,GetCommandLineA,SetUnhandledExceptionFilter,GetCurrentProcessId,lstrlenA,lstrlenA,GetVersionExA,GetLastError,WSAStartup,WSAGetLastError,lstrlenA,gethostbyname,inet_addr,Sleep,htons,inet_ntoa,socket,connect,GetTickCount,closesocket,WSAGetLastError,closesocket,Sleep,WSAGetLastError,Sleep,closesocket,CloseHandle,	0_2_00007FF792322F00
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF7923260A8 SetUnhandledExceptionFilter,_set_new_mode,_set_new_mode,	0_2_00007FF7923260A8
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Code function: 0_2_00007FF792326740 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF792326740

Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get Name,OSArchitecture /format:rawxml"	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic cpu get Name /format:rawxml"	Jump to behavior
Source: C:\Users\user\Desktop\mG31YklE0k.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "chcp 65001 > NUL & wmic os get TotalVisibleMemorySize /format:rawxml"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Name,OSArchitecture /format:rawxml	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name /format:rawxml	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get TotalVisibleMemorySize /format:rawxml	Jump to behavior

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792326620 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF792326620

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: 0_2_00007FF792324BE0 GetVersionExA,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,GetLastError,LocalFree,GetLastError,CloseHandle,GetLastError,

0_2_00007FF792324BE0

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\mG31YklE0k.exe

Code function: cmd.exe /C "%s%s"

0_2_00007FF792321B50

Source: Yara match	File source: mG31YklE0k.exe, type: SAMPLE
Source: Yara match	File source: 0.0.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mG31YklE0k.exe.7ff792320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mG31YklE0k.exe PID: 7272, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	5 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.236.8.208	unknown	United States		20115	CHARTER-20115US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467030
Start date and time:	2024-07-03 16:40:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mG31YklE0k.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	a63073dc84ad47517f9b50c4270b274888fda0536381f04259418b25e96407c9
Detection:	MAL
Classification:	mal56.evad.winEXE@23/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 21 Number of non-executed functions: 20

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: mG31YklE0k.exe

Simulations

Behavior and APIs

Time	Type	Description
10:41:31	API Interceptor	3x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHARTER-20115US	RR1h1iO6W2.exe	Get hash	malicious	FormBook	Browse	47.239.13.172
	Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe	Get hash	malicious	FormBook	Browse	47.239.13.172
	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Get hash	malicious	FormBook	Browse	47.239.13.172
	http://we-whatsapp-kf.top/	Get hash	malicious	Unknown	Browse	47.238.134.130
	http://we-whatsapp-kf.club/	Get hash	malicious	Unknown	Browse	47.238.60.212
	mirai.mpsl.elf	Get hash	malicious	Mirai	Browse	24.181.17.151
	mirai.spc.elf	Get hash	malicious	Mirai	Browse	35.134.142.218
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	97.95.170.153
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	47.26.252.103
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	174.87.193.170

Process:	C:\Users\user\Desktop\mG31YklE0k.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	5.903840842623564
Encrypted:	false
SSDEEP:	24:LrqxX9bklbDsOuvbCJLz3KkR03ZugOo5Apq1A1lfn1/xRVFxq9IZcNNugpR:LrabkdYr0neRF1CDP1/r02Z4P
MD5:	5174764DB37DF7458941465937A0AD81
SHA1:	328B97EE6799CC62603A669F9A3E26C5D18A1962
SHA-256:	33D3672C97F5542D5349FD71ADD714B52CEB4B8A787B3250B48C5F5137C1C945
SHA-512:	F47530419C58D8170A687AD7D60803D63505099F8621A53EA5F39E93FE5F0640F1DD71CD650893BA67BF7647560B1FB02D9D36C9C5873EC74EDA940A9EA9B771
Malicious:	false
Preview:	-----BEGIN CERTIFICATE-----MIIDazCCAlOgAwIBAgIUaGMugH/V55gn/kKF7MTkZbXAMgcwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MDIwOTE1NDlaFw0yNTA3MDIwOTE1NDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI9aJMQs59lkwXq7E7lbbFWVK6GZSKrxRaHqIY9h+XAhPomMCbEPtXsC2nQseWCRptVoQP0Ica1a5N3Szc0z4ULts6dMVl97H/0I9PergpfodzQPpcaPNj0oJJx8FIhPgDJSIhsopka2B6KHgSMVAZqJNZUuGtZAstCsqQ5poJnUbysAGC28XH3u1/RDaBVoCUbca8MwXF8PljFW1vliAjWbODl2fw/o/Gpm5bPxNX6u8TYAZRPDuqbkWBU5vLwXXc28GyPeNeJrFZuEdH625tPZhaEDuGjt/zKN0zxloYGKAP2NuqDOz1q6yjeCjCylDpY2Z51E0QBHN+ZgrDa/pVAgMBAAGjUzBRMB0GA1UdDgQWBBSHcDJYwey7jHv4NnpWyj3iinY3LzAfBgNVHSMEGDAWgBSHcDJYwey7jHv4NnpWyj3iinY3LzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA0Iy9HCpHi7Vxx9NOqyIK1iAaUrX3phW3IJIDR/RtirKZ7xq2NMKDvzgCBiPklhmPGNe3BO6o34k+Cvj0WePKsqZUzd+frQz0T1bqqzrH8Gb9S/RYxDchokJAsqiTmfhNNEHgkKzV1jszrQ

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\mG31YklE0k.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwltJ:Wz
MD5:	3D7D230E8E9B4E8202935E38050E13E5
SHA1:	DFABCB8DCBC48AB136F6F87A29BF4A7C9CCCCAAF
SHA-256:	269E9F79960D5201DA265CEF43575B1EF31644174DA7A9AB23501AD3A0CACFC3
SHA-512:	02BAF2F6CE0222EBFD4186641AC8F8BF8C54D0184A6C4C85F720171EEF8B1871ACCC9F3E522B80C8814428F52B007CE321312A76B4538D59E4A436D43011FF30
Malicious:	false
Preview:	........................................user.

\Device\Null

Download File

Process:	C:\Windows\System32\chcp.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601646
Encrypted:	false
SSDEEP:	3:PHsEiV/:PsES
MD5:	D38306034A39FBDFDAC172946D5EF53F
SHA1:	346E6FF4E144749719368D4A27675C44E742BDCF
SHA-256:	2B06CDF30ADE079C57F6E8EC16FA27563855265463BEDE417A2DD63A631B6A21
SHA-512:	7F3CFF34DB2E1528BA3928E3C41CEC4C6407DFAB4CD57FA298CCD06AA65696FB3321DFCC24A0BF5A7D546F1216E3506F1D26B09B11E5511AD33219913FA149D4
Malicious:	false
Preview:	Active code page: 65001..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.852039182449177
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mG31YklE0k.exe
File size:	432'128 bytes
MD5:	8b6caa03bd794cf1d3d61493383414f0
SHA1:	a15fa197e0c22aad50b20dacb48abf6d6f81ed9c
SHA256:	a63073dc84ad47517f9b50c4270b274888fda0536381f04259418b25e96407c9
SHA512:	806acd96674899d1eb6e8ab26e5f02d968b2fc6eb8cbfd6412a174ac49b8b5848a9e11c0627a089438cd7e69f5fc7bf9d890a6944fb2de16887cdbc831ba0e6d
SSDEEP:	12288:mZbroXPJbRw99/5inSFpKLJPiVv64Lafz:UnmRbWsaKLZOlef
TLSH:	0B948D9600A200E1D44D633EE49772E89215BFE949E058D7EF3A73E1EB3F6B56C2D109
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..J%..J%..J%..C]..@%...P..H%...P..X%...P..@%...P..I%..^N..[%..J%...%...P..@%...P`.K%..J%..K%...P..K%..RichJ%.................

File Icon


Icon Hash:	69ec8cccccec69b2

Static PE Info

General

Entrypoint:	0x140006240
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668549A1 [Wed Jul 3 12:52:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	da2da8d7e1b177f6c85b526cf54d4f81

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FFAE8E2605Ch
dec eax
add esp, 28h
jmp 00007FFAE8E25AF7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00004EABh]
dec eax
mov ecx, ebx
call dword ptr [00005012h]
call dword ptr [00004ED4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00004ED8h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00005024h]
test eax, eax
je 00007FFAE8E25C89h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00002952h]
call 00007FFAE8E25D2Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00002A39h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000029C9h], eax
dec eax
mov eax, dword ptr [00002A22h]
dec eax
mov dword ptr [00002893h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00002997h], eax
mov dword ptr [0000286Dh], C0000409h
mov dword ptr [00002867h], 00000001h
mov dword ptr [00002871h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4d8	0x118	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x60580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa000	0x678	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0x6c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13f0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1460	0x138	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x4b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x650c	0x6600	5ae99d49b304354990d853d02c05ac9f	False	0.5579810049019608	data	6.007636917711092	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1168	0x800	ddacbbc2b0e3ddba423fac05ce1dea96	False	0.52197265625	data	4.968150545191446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa000	0x678	0x800	b51c7c5405a356a7c42be5b3f3a96813	False	0.408203125	data	3.7544532864563442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0xb000	0x14c2	0x1600	d073fcab1edf44983863e0a0c4368d77	False	0.3400213068181818	data	4.236583202306604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xd000	0x60580	0x60600	325f82659efe38a5b21505320a8f123e	False	0.5032070768482491	data	6.839791011908209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0x6c	0x200	9678921f82daf9b4123af53d42bf553c	False	0.2265625	data	1.3703275274477857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x58b50	0x60a	PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced	English	United States	0.9573091849935317
RT_ICON	0x59160	0x70a8	Device independent bitmap graphic, 96 x 192 x 24, image size 0	English	United States	0.029576976421636616
RT_ICON	0x60208	0x4ee8	Device independent bitmap graphic, 80 x 160 x 24, image size 0	English	United States	0.033811881188118814
RT_ICON	0x650f0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 0	English	United States	0.042834890965732085
RT_ICON	0x68318	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 0	English	United States	0.05466194111232279
RT_ICON	0x69fc0	0x1428	Device independent bitmap graphic, 40 x 80 x 24, image size 0	English	United States	0.06763565891472868
RT_ICON	0x6b3e8	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 0	English	United States	0.08364197530864198
RT_ICON	0x6c090	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 0	English	United States	0.11856223175965665
RT_ICON	0x6c7d8	0x528	Device independent bitmap graphic, 20 x 40 x 24, image size 0	English	United States	0.12878787878787878
RT_ICON	0x6cd00	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 0	English	United States	0.18692660550458715
RT_RCDATA	0xd340	0x4b809	data	English	United States	0.6231839537989439
RT_GROUP_ICON	0x6d068	0x92	data	English	United States	0.6986301369863014
RT_VERSION	0x6d100	0x2fc	data	English	United States	0.468586387434555
RT_MANIFEST	0x6d400	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
SHLWAPI.dll	StrStrA, StrCmpNA, StrToIntExA
CRYPT32.dll	CertNameToStrW, CertGetNameStringW, CryptQueryObject, CertFreeCertificateContext, CryptImportPublicKeyInfo, CryptHashCertificate
WS2_32.dll	inet_ntoa, recv, select, send, WSAGetLastError, WSAStartup, gethostbyname, __WSAFDIsSet, closesocket, connect, htons, inet_addr, socket
KERNEL32.dll	WriteFile, CloseHandle, SetUnhandledExceptionFilter, GetLastError, CreatePipe, PeekNamedPipe, WaitForSingleObject, CreateMutexA, Sleep, GetCurrentProcess, GetCurrentProcessId, ExitProcess, TerminateProcess, GetExitCodeProcess, GetFileSize, CreateThread, GetCurrentThreadId, CreateProcessA, CreateProcessW, GetStartupInfoW, GetTickCount, GetVersionExA, GetModuleFileNameA, GetModuleFileNameW, GetDriveTypeA, GetProcAddress, LoadLibraryA, LocalAlloc, LocalFree, lstrcmpA, lstrlenA, GetLogicalDriveStringsA, GetStartupInfoA, GetComputerNameW, MultiByteToWideChar, WideCharToMultiByte, AllocConsole, FreeConsole, GetConsoleCP, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, lstrcpynA, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, ReadFile, FindNextFileW, FindFirstFileW, FindClose, CreateFileW, GetModuleHandleA, GetCommandLineA, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SwitchToThread
USER32.dll	wsprintfW, wsprintfA
ADVAPI32.dll	CryptEncrypt, CryptGenRandom, CryptGetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextA, RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegEnumValueA, RegDeleteValueA, RegCloseKey, GetUserNameW, CryptCreateHash, CryptHashData, CryptDestroyHash, OpenProcessToken, CryptExportKey, RegEnumKeyA, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, CreateWellKnownSid, CheckTokenMembership
SHELL32.dll
VCRUNTIME140.dll	__current_exception, __C_specific_handler, __current_exception_context
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, exit, _seh_filter_exe, _initialize_onexit_table, _register_onexit_function, _cexit, terminate, _set_app_type, _register_thread_local_exe_atexit_callback, _initterm_e, __p___argv, __p___argc, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _crt_atexit, _exit
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:41:30.219249964 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:30.225084066 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:30.225183010 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:30.259793997 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:30.266283989 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:31.235215902 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:31.285934925 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:31.524907112 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:31.525197029 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:31.530241013 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:31.892337084 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:31.942200899 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:32.289998055 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:32.294883966 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:32.625359058 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:32.630269051 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:32.966854095 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:33.020313025 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:33.231466055 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:33.236527920 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:33.668651104 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:33.673911095 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:34.010229111 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:34.054932117 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:34.528506041 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:34.533524036 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:34.862430096 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:34.867324114 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:35.203341007 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:41:35.203818083 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:41:35.208679914 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:42:05.192363977 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:42:05.197391033 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:42:35.192430973 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:42:35.197546959 CEST	28115	49706	47.236.8.208	192.168.2.9
Jul 3, 2024 16:43:05.208242893 CEST	49706	28115	192.168.2.9	47.236.8.208
Jul 3, 2024 16:43:05.213143110 CEST	28115	49706	47.236.8.208	192.168.2.9

Target ID:	0
Start time:	10:41:29
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\mG31YklE0k.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mG31YklE0k.exe"
Imagebase:	0x7ff792320000
File size:	432'128 bytes
MD5 hash:	8B6CAA03BD794CF1D3D61493383414F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SuspiciousPDB, Description: Yara detected Suspicious PDB, Source: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_MicroBackdoor_46f2e5fd, Description: unknown, Source: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_SuspiciousPDB, Description: Yara detected Suspicious PDB, Source: 00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_MicroBackdoor_46f2e5fd, Description: unknown, Source: 00000000.00000000.1316395438.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:41:29
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:41:30
Start date:	03/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C "chcp 65001 > NUL & wmic os get Name,OSArchitecture /format:rawxml"
Imagebase:	0x7ff66e910000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:41:30
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:41:31
Start date:	03/07/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff73b3d0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:41:31
Start date:	03/07/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Name,OSArchitecture /format:rawxml
Imagebase:	0x7ff798d30000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:41:32
Start date:	03/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C "chcp 65001 > NUL & wmic cpu get Name /format:rawxml"
Imagebase:	0x7ff66e910000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:41:32
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:41:32
Start date:	03/07/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff73b3d0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:41:32
Start date:	03/07/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get Name /format:rawxml
Imagebase:	0x7ff798d30000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:41:33
Start date:	03/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C "chcp 65001 > NUL & wmic os get TotalVisibleMemorySize /format:rawxml"
Imagebase:	0x7ff66e910000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:41:33
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:41:33
Start date:	03/07/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff73b3d0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:41:33
Start date:	03/07/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get TotalVisibleMemorySize /format:rawxml
Imagebase:	0x7ff798d30000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	58.7%
Total number of Nodes:	673
Total number of Limit Nodes:	22

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF792321B50 Relevance: 96.6, APIs: 51, Strings: 4, Instructions: 388
memorypipenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32 ref: 00007FF792321BD0
GetLastError.KERNEL32 ref: 00007FF792321BDE
CreatePipe.KERNEL32 ref: 00007FF792321BF9
GetLastError.KERNEL32 ref: 00007FF792321C03
GetExitCodeProcess.KERNEL32 ref: 00007FF79232202E
TerminateProcess.KERNEL32 ref: 00007FF792322047
GetLastError.KERNEL32 ref: 00007FF792322051
CloseHandle.KERNEL32 ref: 00007FF79232206A
CloseHandle.KERNEL32 ref: 00007FF792322079
CloseHandle.KERNEL32 ref: 00007FF792322089
CloseHandle.KERNEL32 ref: 00007FF792322099
CloseHandle.KERNEL32 ref: 00007FF7923220A8
CloseHandle.KERNEL32 ref: 00007FF7923220B8
LocalFree.KERNEL32 ref: 00007FF7923220C6
LocalFree.KERNEL32 ref: 00007FF7923220D4
LocalFree.KERNEL32 ref: 00007FF7923220E2
LocalFree.KERNEL32 ref: 00007FF79232212A
WSAGetLastError.WS2_32 ref: 00007FF792322143

Strings

chcp 65001 > NUL & , xrefs: 00007FF792321D70
*** ERROR: Timeout occured, xrefs: 00007FF792322006
{{{#%.8x}}}, xrefs: 00007FF7923220EC
cmd.exe /C "%s%s", xrefs: 00007FF792321D87

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CloseHandle$Local$ErrorFreeLast$Process$AllocCodeCreateExitPipeTerminate
String ID: *** ERROR: Timeout occured$chcp 65001 > NUL & $cmd.exe /C "%s%s"${{{#%.8x}}}
API String ID: 2561126683-440690278
Opcode ID: da73e3b086ad8585e865e1741d3301e734a5945a977b8d39513ddb4751ef9bad
Instruction ID: a35c02b23f56b8ed552dc8b0fc6b7e45da1b912d87fb86a4f48275425b82979e
Opcode Fuzzy Hash: da73e3b086ad8585e865e1741d3301e734a5945a977b8d39513ddb4751ef9bad
Instruction Fuzzy Hash: 17026131A08B5286FB30BB72A844679A7A1FF48B94F84417DDE4E43A58DFBCE445C760

Function 00007FF792322F00 Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 171
networksleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32 ref: 00007FF792322F24
GetLastError.KERNEL32 ref: 00007FF792322F36
GetCommandLineA.KERNEL32 ref: 00007FF792322F47
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF792322F54
GetCurrentProcessId.KERNEL32 ref: 00007FF792322F5A
lstrlenA.KERNEL32 ref: 00007FF792322F67
lstrlenA.KERNEL32 ref: 00007FF792322F7C
GetVersionExA.KERNEL32 ref: 00007FF792322FBA
GetLastError.KERNEL32 ref: 00007FF792322FC4
WSAStartup.WS2_32 ref: 00007FF792322FEC
WSAGetLastError.WS2_32 ref: 00007FF792322FF6
lstrlenA.KERNEL32 ref: 00007FF79232301B
gethostbyname.WS2_32 ref: 00007FF79232307B
inet_addr.WS2_32 ref: 00007FF792323090
Sleep.KERNEL32 ref: 00007FF7923230A2
htons.WS2_32 ref: 00007FF7923230E9
inet_ntoa.WS2_32 ref: 00007FF792323100
socket.WS2_32 ref: 00007FF792323121
connect.WS2_32 ref: 00007FF792323142
GetTickCount.KERNEL32 ref: 00007FF79232315E
closesocket.WS2_32 ref: 00007FF79232318C
WSAGetLastError.WS2_32 ref: 00007FF792323197
closesocket.WS2_32 ref: 00007FF7923231A0
Sleep.KERNEL32 ref: 00007FF7923231AB
WSAGetLastError.WS2_32 ref: 00007FF7923231B6
Sleep.KERNEL32 ref: 00007FF7923231C1

Strings

-----BEGIN CERTIFICATE-----MIIDazCCAlOgAwIBAgIUaGMugH/V55gn/kKF7MTkZbXAMgcwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MDIwOTE1NDlaFw0yNTA3MDIwOTE1NDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDV, xrefs: 00007FF792322F75, 00007FF792323014, 00007FF79232302A
47.236.8.208, xrefs: 00007FF792322F60, 00007FF792323070, 00007FF792323089
324253563f750e8432be8e34af13249d, xrefs: 00007FF792322F9D
30D78F9B-C56E-472C-8A29-E91111115, xrefs: 00007FF792322F19

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sleeplstrlen$closesocket$CommandCountCreateCurrentExceptionFilterLineMutexProcessStartupTickUnhandledVersionconnectgethostbynamehtonsinet_addrinet_ntoasocket
String ID: -----BEGIN CERTIFICATE-----MIIDazCCAlOgAwIBAgIUaGMugH/V55gn/kKF7MTkZbXAMgcwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MDIwOTE1NDlaFw0yNTA3MDIwOTE1NDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDV$30D78F9B-C56E-472C-8A29-E91111115$324253563f750e8432be8e34af13249d$47.236.8.208
API String ID: 84727288-1026695507
Opcode ID: 97dc3dc6185f06f5d3c3692b71c6e10bc1e9102fb541311fcd43bd1663eb88e6
Instruction ID: 791737905a2aa453c1345ab8129f4786e62eea6614bf340852f3f2d3ab936d58
Opcode Fuzzy Hash: 97dc3dc6185f06f5d3c3692b71c6e10bc1e9102fb541311fcd43bd1663eb88e6
Instruction Fuzzy Hash: 98813C21E08A5281FA74BB31E814379A3A1BF84B60FC442BDDA5E426E5DFBCF545C670

Function 00007FF7923245D0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 115
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpA.KERNEL32 ref: 00007FF792324610
CryptAcquireContextA.ADVAPI32 ref: 00007FF792324639
CryptAcquireContextA.ADVAPI32 ref: 00007FF792324655
GetLastError.KERNEL32 ref: 00007FF79232465F

Strings

1.2.840.113549.1.1.1, xrefs: 00007FF792324600

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt$ErrorLastlstrcmp
String ID: 1.2.840.113549.1.1.1
API String ID: 3380055822-1045768084
Opcode ID: bb7228c47c3e8ab6bf27e9b09dc6a7054ea082258b3730e95ee1816905a7530a
Instruction ID: 8499731a84bca989fe411d59f9ef545ffab8a0ec13f3f3ab486b586b50affb3d
Opcode Fuzzy Hash: bb7228c47c3e8ab6bf27e9b09dc6a7054ea082258b3730e95ee1816905a7530a
Instruction Fuzzy Hash: 81418126A0864282F734BF75E84063AF761FF85B90F94407DDA5E42A58DFBCE449C720

Function 00007FF792324780 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 100
encryptionmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpA.KERNEL32 ref: 00007FF7923247AB
CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247D6
CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247F2
GetLastError.KERNEL32 ref: 00007FF7923247FC
CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF792324823
CryptExportKey.ADVAPI32 ref: 00007FF792324852
LocalAlloc.KERNEL32 ref: 00007FF792324865
CryptExportKey.ADVAPI32 ref: 00007FF792324890
GetLastError.KERNEL32 ref: 00007FF7923248B9
LocalFree.KERNEL32 ref: 00007FF7923248C2
CryptDestroyKey.ADVAPI32 ref: 00007FF7923248CD
CryptReleaseContext.ADVAPI32 ref: 00007FF7923248F5

Strings

RSA1, xrefs: 00007FF7923248A8
1.2.840.113549.1.1.1, xrefs: 00007FF79232479C

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireErrorExportLastLocal$AllocDestroyFreeImportInfoPublicReleaselstrcmp
String ID: 1.2.840.113549.1.1.1$RSA1
API String ID: 1837312144-2012263958
Opcode ID: a4e4f76e9bbf0a16c4e1eb018d1a02789ea6febe891a77422323c85949518525
Instruction ID: 0a03a5166f782f27505f85a64c0aa7f332f2df71f08a432c9a6169880c94f990
Opcode Fuzzy Hash: a4e4f76e9bbf0a16c4e1eb018d1a02789ea6febe891a77422323c85949518525
Instruction Fuzzy Hash: 21412032A28B8186F770BB31E44462AB3A1FF84B44F84507DD64E46A58DF7DE549C760

Function 00007FF792324BE0 Relevance: 24.1, APIs: 16, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 00007FF792324C3A
GetLastError.KERNEL32 ref: 00007FF792324C44
GetCurrentProcess.KERNEL32 ref: 00007FF792324C69
OpenProcessToken.ADVAPI32 ref: 00007FF792324C7B
GetTokenInformation.ADVAPI32 ref: 00007FF792324CAB
GetLastError.KERNEL32 ref: 00007FF792324CB5
LocalAlloc.KERNEL32 ref: 00007FF792324CC6
GetTokenInformation.ADVAPI32 ref: 00007FF792324CED
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF792324CFA
GetSidSubAuthority.ADVAPI32 ref: 00007FF792324D08
LocalFree.KERNEL32 ref: 00007FF792324D13
CloseHandle.KERNEL32 ref: 00007FF792324D36

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Token$AuthorityErrorInformationLastLocalProcess$AllocCloseCountCurrentFreeHandleOpenVersion
String ID:
API String ID: 1726717305-0
Opcode ID: 84e1ee547cd16025a8e5c5eaf9228b4336429ec269aa935b445246a5c9abbaa2
Instruction ID: 2252324b31bb4e12f878f438c885b315a08f76398daa4f786dccd171e944c710
Opcode Fuzzy Hash: 84e1ee547cd16025a8e5c5eaf9228b4336429ec269aa935b445246a5c9abbaa2
Instruction Fuzzy Hash: 09413E22E08B4286F720BB70E4003BDB3B1EB94B48F41557EDE4D56659DFB8B189C350

Function 00007FF792323D20 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 75
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF792323D63
GetProcAddress.KERNEL32 ref: 00007FF792323D7F
GetProcAddress.KERNEL32 ref: 00007FF792323D9F
GetProcAddress.KERNEL32 ref: 00007FF792323DBF
LocalAlloc.KERNEL32 ref: 00007FF792323DEB
vsprintf.MSVCRT ref: 00007FF792323E04
lstrlenA.KERNEL32 ref: 00007FF792323E0D
LocalFree.KERNEL32 ref: 00007FF792323E26

Strings

vsprintf, xrefs: 00007FF792323D95
_vscprintf, xrefs: 00007FF792323DB5
sprintf, xrefs: 00007FF792323D75
msvcrt.dll, xrefs: 00007FF792323D5C

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: AddressProc$Local$AllocFreeLibraryLoadlstrlenvsprintf
String ID: _vscprintf$msvcrt.dll$sprintf$vsprintf
API String ID: 147120482-2814819631
Opcode ID: eadc4dfa9487ff5ef6a20d957b77e50debb2b712aad6b75c81ae23c4abf1b67c
Instruction ID: 23ef37cc66fbddcec628bc5a221a05220552e11092a01160b90d74c81a6a6380
Opcode Fuzzy Hash: eadc4dfa9487ff5ef6a20d957b77e50debb2b712aad6b75c81ae23c4abf1b67c
Instruction Fuzzy Hash: 47312D65A09B5381FF35BB75A894274A3A1AF48BD0F8445BDCD4D023A0EEBCF489C360

Function 00007FF792324130 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 133
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptQueryObject.CRYPT32 ref: 00007FF7923241AC
CertGetNameStringW.CRYPT32 ref: 00007FF792324224
CertNameToStrW.CRYPT32 ref: 00007FF79232424D
CertNameToStrW.CRYPT32 ref: 00007FF792324276
CryptHashCertificate.CRYPT32 ref: 00007FF7923242D0
wsprintfA.USER32 ref: 00007FF792324305

Strings

%.2X, xrefs: 00007FF7923242FB

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CertName$Crypt$CertificateHashObjectQueryStringwsprintf
String ID: %.2X
API String ID: 2640105808-213608013
Opcode ID: a01f408edb9a8f74c4fb5be574b99d21058be682e4b66ce2b4315588bc1ec5d7
Instruction ID: cf8a19bb1f58e17ca4db84f32332baffe2e4b0d2403d688a8789627d198aec00
Opcode Fuzzy Hash: a01f408edb9a8f74c4fb5be574b99d21058be682e4b66ce2b4315588bc1ec5d7
Instruction Fuzzy Hash: 68614232A18B8186F721EF25E8406ADB7B1FB88744F844139DB8D47A59DF7CE194CB10

Function 00007FF7923243C0 Relevance: 13.6, APIs: 9, Instructions: 71
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF792324405
CryptCreateHash.ADVAPI32 ref: 00007FF79232442D
GetLastError.KERNEL32 ref: 00007FF792324437
CryptReleaseContext.ADVAPI32 ref: 00007FF792324444
CryptHashData.ADVAPI32 ref: 00007FF79232445A
CryptGetHashParam.ADVAPI32 ref: 00007FF792324488
CryptDestroyHash.ADVAPI32 ref: 00007FF79232449A
CryptReleaseContext.ADVAPI32 ref: 00007FF7923244A5
GetLastError.KERNEL32 ref: 00007FF7923244AD

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$ErrorLastRelease$AcquireCreateDataDestroyParam
String ID:
API String ID: 420618377-0
Opcode ID: 5378d1afaa9ea9ce78b8640519108fb7b85e84630e84e3a8dd6142cd221e59f5
Instruction ID: d83f3ad05c2a1e88d4f0cb65450428400d41d5749fe3f1633a0421919b0549be
Opcode Fuzzy Hash: 5378d1afaa9ea9ce78b8640519108fb7b85e84630e84e3a8dd6142cd221e59f5
Instruction Fuzzy Hash: C4314632A1864182F760AB32F45066AF7A5FFC8B84F84917DEA8E47A58DF7CD445CB10

Function 00007FF792324080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF792324092
GetModuleFileNameA.KERNEL32 ref: 00007FF7923240A8
StrStrA.SHLWAPI ref: 00007FF7923240BC
CreateThread.KERNEL32 ref: 00007FF7923240E3
CloseHandle.KERNEL32 ref: 00007FF7923240F1

Strings

C:\Users\user\Desktop\mG31YklE0k.exe, xrefs: 00007FF79232409E, 00007FF7923240B5
rundll32.exe, xrefs: 00007FF7923240AE

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: HandleModule$CloseCreateFileNameThread
String ID: C:\Users\user\Desktop\mG31YklE0k.exe$rundll32.exe
API String ID: 3777150470-4265591736
Opcode ID: 0c81b422f81cfc0abfd58334d4d18dadeed99d4ebbcfda9c07a2675569b56001
Instruction ID: 277459e5ccdbc78128f7db01ed62f5bbca658fc5504ed79e96c08c0d6a9655f0
Opcode Fuzzy Hash: 0c81b422f81cfc0abfd58334d4d18dadeed99d4ebbcfda9c07a2675569b56001
Instruction Fuzzy Hash: DB013925B1875282FB24BB35F844679A361BB44B84F88417DDA4D03768EEBCF149C760

Function 00007FF792323990 Relevance: 10.7, APIs: 7, Instructions: 173
networkmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF792324ED0: RegOpenKeyA.ADVAPI32 ref: 00007FF792324F04
Part of subcall function 00007FF792324ED0: RegEnumKeyA.ADVAPI32 ref: 00007FF792324F2E
Part of subcall function 00007FF792324ED0: wsprintfA.USER32 ref: 00007FF792324F58
Part of subcall function 00007FF792324ED0: RegOpenKeyA.ADVAPI32 ref: 00007FF792324F70
Part of subcall function 00007FF792324ED0: RegQueryValueExA.ADVAPI32 ref: 00007FF792324FA3
Part of subcall function 00007FF792324ED0: LocalAlloc.KERNEL32 ref: 00007FF792324FBD
Part of subcall function 00007FF792324ED0: RegQueryValueExA.ADVAPI32 ref: 00007FF792324FEC
Part of subcall function 00007FF792324ED0: LocalFree.KERNEL32 ref: 00007FF792325004
Part of subcall function 00007FF792324ED0: RegCloseKey.ADVAPI32 ref: 00007FF792325017
Part of subcall function 00007FF792324ED0: RegEnumKeyA.ADVAPI32 ref: 00007FF792325031
Part of subcall function 00007FF792324ED0: RegCloseKey.ADVAPI32 ref: 00007FF79232504C

Part of subcall function 00007FF792324D70: EnterCriticalSection.KERNEL32 ref: 00007FF792324D9C
Part of subcall function 00007FF792324D70: LeaveCriticalSection.KERNEL32 ref: 00007FF792324DE0

CryptHashCertificate.CRYPT32 ref: 00007FF792323A80
LocalAlloc.KERNEL32 ref: 00007FF792323AC2

Part of subcall function 00007FF7923245D0: lstrcmpA.KERNEL32 ref: 00007FF792324610

LocalFree.KERNEL32 ref: 00007FF792323B2E
recv.WS2_32 ref: 00007FF792323B7C

Part of subcall function 00007FF792323E40: send.WS2_32 ref: 00007FF792323E92

WSAGetLastError.WS2_32 ref: 00007FF792323C1C
GetLastError.KERNEL32 ref: 00007FF792323C24
closesocket.WS2_32 ref: 00007FF792323C2D

Part of subcall function 00007FF792324920: CryptAcquireContextA.ADVAPI32 ref: 00007FF79232495C
Part of subcall function 00007FF792324920: GetLastError.KERNEL32 ref: 00007FF792324968
Part of subcall function 00007FF792324920: CryptAcquireContextA.ADVAPI32 ref: 00007FF79232498B
Part of subcall function 00007FF792324920: GetLastError.KERNEL32 ref: 00007FF792324997

Part of subcall function 00007FF792324780: lstrcmpA.KERNEL32 ref: 00007FF7923247AB
Part of subcall function 00007FF792324780: CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247D6
Part of subcall function 00007FF792324780: CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247F2
Part of subcall function 00007FF792324780: GetLastError.KERNEL32 ref: 00007FF7923247FC

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CryptErrorLast$AcquireContextLocal$AllocCloseCriticalEnumFreeOpenQuerySectionValuelstrcmp$CertificateEnterHashLeaveclosesocketrecvsendwsprintf
String ID:
API String ID: 2157848021-0
Opcode ID: d9e43eb65211b232cfda39747d0a0bae992af53bddefae2445599a30d4c6a848
Instruction ID: 09b4f999bb34fd402d96f5818dd0d3fd96d89bdd4863719fd3c979e7f13f51a4
Opcode Fuzzy Hash: d9e43eb65211b232cfda39747d0a0bae992af53bddefae2445599a30d4c6a848
Instruction Fuzzy Hash: 9671B532A1869281F730BB35E4403BAA3A1FF44794F80527DEA4D47695DFBCE585C760

Function 00007FF792324920 Relevance: 10.6, APIs: 7, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF79232495C
GetLastError.KERNEL32 ref: 00007FF792324968
CryptAcquireContextA.ADVAPI32 ref: 00007FF79232498B
GetLastError.KERNEL32 ref: 00007FF792324997
CryptGenRandom.ADVAPI32 ref: 00007FF7923249A9
GetLastError.KERNEL32 ref: 00007FF7923249B5
CryptReleaseContext.ADVAPI32 ref: 00007FF7923249C2

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorLast$Acquire$RandomRelease
String ID:
API String ID: 3728441355-0
Opcode ID: a232a733fd8e0f25fe72c7b9f9a56c4bbedd6f1a759a8af967787b9ae0d41743
Instruction ID: 3ed7dfb97ced0da27543101a3fde4ee86745f4c60a073c83d5f2a94d51c33125
Opcode Fuzzy Hash: a232a733fd8e0f25fe72c7b9f9a56c4bbedd6f1a759a8af967787b9ae0d41743
Instruction Fuzzy Hash: 5C215735A18B4282F760BB35A45462AA2A1FF88754F80907CEA8E53B18DF7CE449CB10

Function 00007FF792323490 Relevance: 9.1, APIs: 6, Instructions: 133networkmemoryencryptionCOMMON

Download Yara Rule

APIs

CryptHashCertificate.CRYPT32 ref: 00007FF792323509
GetLastError.KERNEL32 ref: 00007FF7923236B8

Part of subcall function 00007FF792324920: CryptAcquireContextA.ADVAPI32 ref: 00007FF79232495C
Part of subcall function 00007FF792324920: GetLastError.KERNEL32 ref: 00007FF792324968
Part of subcall function 00007FF792324920: CryptAcquireContextA.ADVAPI32 ref: 00007FF79232498B
Part of subcall function 00007FF792324920: GetLastError.KERNEL32 ref: 00007FF792324997

Part of subcall function 00007FF792324780: lstrcmpA.KERNEL32 ref: 00007FF7923247AB
Part of subcall function 00007FF792324780: CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247D6
Part of subcall function 00007FF792324780: CryptAcquireContextA.ADVAPI32 ref: 00007FF7923247F2
Part of subcall function 00007FF792324780: GetLastError.KERNEL32 ref: 00007FF7923247FC

LocalAlloc.KERNEL32 ref: 00007FF79232354B

Part of subcall function 00007FF7923245D0: lstrcmpA.KERNEL32 ref: 00007FF792324610

LocalFree.KERNEL32 ref: 00007FF7923235C1
recv.WS2_32 ref: 00007FF79232361A

Part of subcall function 00007FF792323E40: send.WS2_32 ref: 00007FF792323E92

WSAGetLastError.WS2_32 ref: 00007FF7923236B0

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CryptErrorLast$AcquireContext$Locallstrcmp$AllocCertificateFreeHashrecvsend
String ID:
API String ID: 4214944934-0
Opcode ID: fa85038c119f5b38bd7c2ce57e367f69374941e6c47017545b112d1040fbb022
Instruction ID: 1645ccc7e387ad1e6e5ff2a626b3c13798edd1355a32b863b7d8de22eab39f66
Opcode Fuzzy Hash: fa85038c119f5b38bd7c2ce57e367f69374941e6c47017545b112d1040fbb022
Instruction Fuzzy Hash: 05517322A1868282F770BB35E4403BAE7A5FB85790F80417DDA4D53B95DFBCE444CB60

Function 00007FF792324530 Relevance: 7.5, APIs: 5, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF792324553
CryptCreateHash.ADVAPI32 ref: 00007FF792324570
GetLastError.KERNEL32 ref: 00007FF79232458A
CryptReleaseContext.ADVAPI32 ref: 00007FF792324595
GetLastError.KERNEL32 ref: 00007FF79232459D

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorLast$AcquireCreateHashRelease
String ID:
API String ID: 4104741015-0
Opcode ID: 083c638682328886a08654ee61228b1e669f75f2304f506c542920b65700edee
Instruction ID: f65bec3db5eefa782a1bb32252bed4474923f0eae576edc4c862afa7ad885540
Opcode Fuzzy Hash: 083c638682328886a08654ee61228b1e669f75f2304f506c542920b65700edee
Instruction Fuzzy Hash: 70014435B18A5282F760AB31F84572AA365FB88B84F94C078DA9C46658DF7CE455CB10

Function 00007FF7923260A8 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF7923260B1

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9db8c012ab206651dfefe73e26dadfbfbf3dae9e0190084e40dbf77c9a833f44
Instruction ID: 201eb1d2423156313b3f53d3b778e4062c60d8e68130248a7da2fd5c536c0f4f
Opcode Fuzzy Hash: 9db8c012ab206651dfefe73e26dadfbfbf3dae9e0190084e40dbf77c9a833f44
Instruction Fuzzy Hash: C2C08C81E0D683C1F2253BBA086217C90655FA0700FE085BEF108802A3CCDCA085CF37

Function 00007FF7923249F0 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 00007FF792324A4F
GetLastError.KERNEL32 ref: 00007FF792324A59
GetCurrentProcess.KERNEL32 ref: 00007FF792324A81
OpenProcessToken.ADVAPI32 ref: 00007FF792324A94
GetTokenInformation.ADVAPI32 ref: 00007FF792324AC4
GetLastError.KERNEL32 ref: 00007FF792324ACE
CloseHandle.KERNEL32 ref: 00007FF792324AD9

Strings

D, xrefs: 00007FF792324B20

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastProcessToken$CloseCurrentHandleInformationOpenVersion
String ID: D
API String ID: 3901347173-2746444292
Opcode ID: 705c8f43b295bd52e6d9a15a6dbf82299f9fb6bb7b0e6dd2c407aabfea82478f
Instruction ID: d2b757e2ca242478b5ce9ebef4ff2804d2ea0af7663ae0d290bab20704d29dc9
Opcode Fuzzy Hash: 705c8f43b295bd52e6d9a15a6dbf82299f9fb6bb7b0e6dd2c407aabfea82478f
Instruction Fuzzy Hash: EC510036E1CB8286F760BB71E84426DB361FB94B44F90517DEA8E42618DF7CE589CB10

Function 00007FF792323250 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 130
registrylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF792323296
GetProcAddress.KERNEL32 ref: 00007FF7923232A6
GetCurrentProcess.KERNEL32 ref: 00007FF7923232BA

Part of subcall function 00007FF792324530: CryptAcquireContextA.ADVAPI32 ref: 00007FF792324553
Part of subcall function 00007FF792324530: CryptCreateHash.ADVAPI32 ref: 00007FF792324570

RegOpenKeyExA.ADVAPI32 ref: 00007FF7923232F4
RegQueryValueExA.ADVAPI32 ref: 00007FF792323335
RegCloseKey.ADVAPI32 ref: 00007FF79232335D
GetComputerNameW.KERNEL32 ref: 00007FF792323375
GetLastError.KERNEL32 ref: 00007FF79232337F
lstrlenA.KERNEL32 ref: 00007FF7923233BA
RegCloseKey.ADVAPI32 ref: 00007FF792323456

Part of subcall function 00007FF7923244E0: CryptGetHashParam.ADVAPI32 ref: 00007FF792324516

wsprintfA.USER32 ref: 00007FF792323421

Strings

MachineGuid, xrefs: 00007FF79232332A
kernel32.dll, xrefs: 00007FF79232328A
%.2x, xrefs: 00007FF792323414
IsWow64Process, xrefs: 00007FF79232329F
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF7923232E6

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Crypt$CloseHash$AcquireAddressComputerContextCreateCurrentErrorHandleLastModuleNameOpenParamProcProcessQueryValuelstrlenwsprintf
String ID: %.2x$IsWow64Process$MachineGuid$SOFTWARE\Microsoft\Cryptography$kernel32.dll
API String ID: 932469847-1683008531
Opcode ID: cc5091a3ecd151b3db448090e7f0cdabd79d8512507a13b9d0a34b427571998c
Instruction ID: 1c476dc06f604a9c1917f33f5547ee012b8cf2a63af182f3e635ce3b210251bc
Opcode Fuzzy Hash: cc5091a3ecd151b3db448090e7f0cdabd79d8512507a13b9d0a34b427571998c
Instruction Fuzzy Hash: D0513F32B18A4286FB61BF25E48026AB365FF84794FC050BDEA8D43A59DFBCD545CB10

Function 00007FF792324ED0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 94
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 00007FF792324F04
RegEnumKeyA.ADVAPI32 ref: 00007FF792324F2E
wsprintfA.USER32 ref: 00007FF792324F58
RegOpenKeyA.ADVAPI32 ref: 00007FF792324F70
RegQueryValueExA.ADVAPI32 ref: 00007FF792324FA3
LocalAlloc.KERNEL32 ref: 00007FF792324FBD
RegQueryValueExA.ADVAPI32 ref: 00007FF792324FEC
LocalFree.KERNEL32 ref: 00007FF792325004

Part of subcall function 00007FF792325080: lstrcmpA.KERNEL32 ref: 00007FF79232514B
Part of subcall function 00007FF792325080: StrToIntExA.SHLWAPI ref: 00007FF7923251D8

GetLastError.KERNEL32 ref: 00007FF79232500C
RegCloseKey.ADVAPI32 ref: 00007FF792325017
RegEnumKeyA.ADVAPI32 ref: 00007FF792325031
RegCloseKey.ADVAPI32 ref: 00007FF79232504C

Strings

%s\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00007FF792324F49
ProxyServer, xrefs: 00007FF792324F8D, 00007FF792324FDA

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CloseEnumLocalOpenQueryValue$AllocErrorFreeLastlstrcmpwsprintf
String ID: %s\Software\Microsoft\Windows\CurrentVersion\Internet Settings$ProxyServer
API String ID: 2880357921-3364920562
Opcode ID: f703fd26846dc93f59185746bafd58968d219d916680c9288a364d4a59a2561a
Instruction ID: 43571d29d79ca43a3457dae522facb78e2e733ab3e94243839e8ca42a11ab887
Opcode Fuzzy Hash: f703fd26846dc93f59185746bafd58968d219d916680c9288a364d4a59a2561a
Instruction Fuzzy Hash: 99414131618A8682FB70BB21E8547AAF361FF84B84F84817DDA8E43A58DF7CD545CB50

Function 00007FF7923236F0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 158
stringmemorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32 ref: 00007FF79232371A
select.WS2_32 ref: 00007FF7923237B7
__WSAFDIsSet.WS2_32 ref: 00007FF7923237D6
recv.WS2_32 ref: 00007FF7923237F7
lstrlenA.KERNEL32 ref: 00007FF792323864
lstrlenA.KERNEL32 ref: 00007FF79232387E
lstrcmpA.KERNEL32 ref: 00007FF7923238E6

Strings

{{{$%.8x}}}, xrefs: 00007FF79232389C
ERROR: Unknown command, xrefs: 00007FF792323903
, xrefs: 00007FF792323870

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocLocallstrcmprecvselect
String ID: $ERROR: Unknown command${{{$%.8x}}}
API String ID: 2706044607-2894458212
Opcode ID: ef6d48c5f118d34ece9a34bd44b64fe268e488214005fbaa3fcbe0b0dfa20124
Instruction ID: d6f67a8fcc9df19c45ef97071ae62fa2ef5ddba71cf4047a57410402d6bae2b7
Opcode Fuzzy Hash: ef6d48c5f118d34ece9a34bd44b64fe268e488214005fbaa3fcbe0b0dfa20124
Instruction Fuzzy Hash: 54619D21A0C68281FB74BB35A548379A3A5FF45BA4FC402BDDE8E46795DEBCE005C620

Function 00007FF7923260C4 Relevance: 15.1, APIs: 10, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7923260D8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7923260ED
__scrt_release_startup_lock.LIBCMT ref: 00007FF79232615B
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7923261A9
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7923261AE
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7923261B6
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7923261BE
__scrt_is_managed_app.LIBCMT ref: 00007FF7923261D2
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7923261E0
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF79232623A

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3019265742-0
Opcode ID: 5b28b9beae6e416053ad1fa9bd32edf6f43d44722f117cbf754f38e8f985c628
Instruction ID: b87f6c2475e85e1d7292ec8304ecf077c6b1177fad622b1248a0349f27db6d7b
Opcode Fuzzy Hash: 5b28b9beae6e416053ad1fa9bd32edf6f43d44722f117cbf754f38e8f985c628
Instruction Fuzzy Hash: 2D310B21E1C65282FA34BB35A5513B9A291AF85784FC4C0BDDA8D073D7DEADF805CA70

Function 00007FF792323ED0 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF792323F0C
LocalAlloc.KERNEL32 ref: 00007FF792323F27
WideCharToMultiByte.KERNEL32 ref: 00007FF792323F56

Part of subcall function 00007FF792323E40: send.WS2_32 ref: 00007FF792323E92

LocalFree.KERNEL32 ref: 00007FF792323F7C
GetLastError.KERNEL32 ref: 00007FF792323F9F

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWide$AllocErrorFreeLastsend
String ID:
API String ID: 3661506369-0
Opcode ID: 94ae4495e992c11c641c07ac0312475bce97894452f816ca4795e1d6352c8905
Instruction ID: cd36e95e3f9b999c53aff3fef4b559c00c437a98f7337474fbbd25884789e2cd
Opcode Fuzzy Hash: 94ae4495e992c11c641c07ac0312475bce97894452f816ca4795e1d6352c8905
Instruction Fuzzy Hash: B0216A36B18B4286E724EF22B884029BBA6FB88F90B44017CDF4953B64DF7CE556C750

Function 00007FF792323E40 Relevance: 3.0, APIs: 2, Instructions: 39networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF792323E92
WSAGetLastError.WS2_32 ref: 00007FF792323EC0

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 788791f3708ea20983311082fad8352eb56ef84cefd3e600651340c004df7d0e
Instruction ID: ca6d8c6b4063255791578ce4347800098fbc9b90dad4f94b469079d1b422b41d
Opcode Fuzzy Hash: 788791f3708ea20983311082fad8352eb56ef84cefd3e600651340c004df7d0e
Instruction Fuzzy Hash: CD01D432E1864285F370BB31B580279E2A1FF88B90F98457CDA4D43B55DEBCE444C750

Non-executed Functions

Function 00007FF792325430 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 216networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF792323FB0: gethostbyname.WS2_32 ref: 00007FF792323FD0
Part of subcall function 00007FF792323FB0: inet_addr.WS2_32 ref: 00007FF792323FE1

socket.WS2_32 ref: 00007FF79232549A
WSAGetLastError.WS2_32 ref: 00007FF7923254A9

Strings

CONNECT %s:%d HTTP/1.0, xrefs: 00007FF7923254F5
, xrefs: 00007FF7923256AD

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastgethostbynameinet_addrsocket
String ID: $CONNECT %s:%d HTTP/1.0
API String ID: 1837667487-1618206690
Opcode ID: fd1145cb3e59b9725c0e8ec7a43d72114c9004003418f53f3f910ab1c911184e
Instruction ID: 111470b40bf036601f050440e5756963e02556804fc402c40cc46dfa76332ad1
Opcode Fuzzy Hash: fd1145cb3e59b9725c0e8ec7a43d72114c9004003418f53f3f910ab1c911184e
Instruction Fuzzy Hash: 5E91812560864286F774BF35A8443B9A365FF45B94FC0117DEA1E46AD4DFBCE205C720

Function 00007FF792322330 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 187filememorystringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 00007FF792322384
lstrlenA.KERNEL32 ref: 00007FF7923223A3
GetDriveTypeA.KERNEL32 ref: 00007FF7923223C2
GetLastError.KERNEL32 ref: 00007FF7923223FF
MultiByteToWideChar.KERNEL32 ref: 00007FF792322423
LocalAlloc.KERNEL32 ref: 00007FF792322450
GetLastError.KERNEL32 ref: 00007FF79232245E
MultiByteToWideChar.KERNEL32 ref: 00007FF79232248F
FindFirstFileW.KERNEL32 ref: 00007FF7923224E6
wsprintfW.USER32 ref: 00007FF792322542
wsprintfW.USER32 ref: 00007FF79232256B
FindNextFileW.KERNEL32 ref: 00007FF79232258D
FindClose.KERNEL32 ref: 00007FF7923225A0
FindClose.KERNEL32 ref: 00007FF7923225B0
LocalFree.KERNEL32 ref: 00007FF7923225C1

Strings

D %s, xrefs: 00007FF79232253B
{{{#%.8x}}}, xrefs: 00007FF7923225DA
D %s, xrefs: 00007FF7923223CF
0x%I64x %s, xrefs: 00007FF792322557

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Find$ByteCharCloseDriveErrorFileLastLocalMultiWidewsprintf$AllocFirstFreeLogicalNextStringsTypelstrlen
String ID: 0x%I64x %s$D %s$D %s${{{#%.8x}}}
API String ID: 4240627101-2220868598
Opcode ID: 06c2d9c40caafc6060978beb0396fcd42b8ad7ac7e76347dadabbb5eae34b6d6
Instruction ID: b334537041197fe1ef500535511cf3614f6360fef2b4e525f593bacb283860cd
Opcode Fuzzy Hash: 06c2d9c40caafc6060978beb0396fcd42b8ad7ac7e76347dadabbb5eae34b6d6
Instruction Fuzzy Hash: 66819462A0868286F730BB36A81027AE7A5FF44B94FD4417DDE5E43694DFBCE445C720

Function 00007FF792322620 Relevance: 30.2, APIs: 20, Instructions: 209memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF792322662
GetLastError.KERNEL32 ref: 00007FF792322670
MultiByteToWideChar.KERNEL32 ref: 00007FF7923226A1
GetLastError.KERNEL32 ref: 00007FF7923226AD
LocalFree.KERNEL32 ref: 00007FF79232293B

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastLocal$AllocByteCharFreeMultiWide
String ID:
API String ID: 3698746609-0
Opcode ID: 20b431f87f550ca13bd797d0e9c3cd71a0e3300971d98448ecb009b465a6176b
Instruction ID: b04cbd66ee03acaf07684553bf1e7b33c86a7c77e202d3f2e62d09ca94eba601
Opcode Fuzzy Hash: 20b431f87f550ca13bd797d0e9c3cd71a0e3300971d98448ecb009b465a6176b
Instruction Fuzzy Hash: BB919331A1864286F730BB36A84437AE2A1FF85B90F94457DDA5D43B94DFBCE445C720

Function 00007FF792322970 Relevance: 28.7, APIs: 19, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF7923229AB
GetLastError.KERNEL32 ref: 00007FF7923229B9
MultiByteToWideChar.KERNEL32 ref: 00007FF7923229EC
GetLastError.KERNEL32 ref: 00007FF7923229F8
LocalFree.KERNEL32 ref: 00007FF792322C62

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastLocal$AllocByteCharFreeMultiWide
String ID:
API String ID: 3698746609-0
Opcode ID: ec638173b2777ea0177f7648dc120a072e466c571d84b125b11ac355dd3df3c6
Instruction ID: b98cd66f63dd817211e8e2eebb48694d7356658d1dd21902c016bf9ba2ffe7ce
Opcode Fuzzy Hash: ec638173b2777ea0177f7648dc120a072e466c571d84b125b11ac355dd3df3c6
Instruction Fuzzy Hash: 8D81A021B0865282F730BB36AC4037AE6A1FB85B94F94157CDE4E43BA4DEBCE444C760

Function 00007FF792326740 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF79232675C
RtlCaptureContext.KERNEL32 ref: 00007FF792326789
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7923267A3
RtlVirtualUnwind.KERNEL32 ref: 00007FF7923267E4
IsDebuggerPresent.KERNEL32 ref: 00007FF792326838
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF792326859
UnhandledExceptionFilter.KERNEL32 ref: 00007FF792326864

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 0c82e3394a8510cb68c394d617c049d229b19ce87432c1eb93262b18cd8805f6
Instruction ID: 5a2bf1ed2d21ad71eac87e93041582bed5eae9401288a44e908e4c78c8620236
Opcode Fuzzy Hash: 0c82e3394a8510cb68c394d617c049d229b19ce87432c1eb93262b18cd8805f6
Instruction Fuzzy Hash: 77310B62619B8186EB60AF74E8503EDB365FB84748F84443EDA4D47A98DF78D548CB20

Function 00007FF7923244E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF792324516

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CryptHashParam
String ID:
API String ID: 1839025277-0
Opcode ID: 009c0628bc1a6b489b12d5b328a448f1418db9c0fe8e5bf7062187ece7f25820
Instruction ID: 599186598206e583673666052cccdce6e6ffaddd112429874b27e754df38f619
Opcode Fuzzy Hash: 009c0628bc1a6b489b12d5b328a448f1418db9c0fe8e5bf7062187ece7f25820
Instruction Fuzzy Hash: 01E092A193878082F310EF20E45135AB360FBC4B84FC06629F68E12725DF7CD181CA00

Function 00007FF79232B0D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86183fdb6df3387678390004221b7ff6591743fd74693a0b0da62dce99e1fcf4
Instruction ID: 034e5e6099e141df9f26c29f52f123cd2d0858a61cdf2db7dab0e39e1e9dfcaa
Opcode Fuzzy Hash: 86183fdb6df3387678390004221b7ff6591743fd74693a0b0da62dce99e1fcf4
Instruction Fuzzy Hash: 30D09E47C0D3C30BD3038A709C117183F704763904B4E80B7C684C22C3D88DB4458762

Function 00007FF79232B070 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4408146ef460cab551af539e831ab92c5b29fa9073a41be110d1d290c3d8dd6
Instruction ID: 318d70931d7ca8b6eae560ce57e6a480db8b5309efe6d3a19256843270c5ad98
Opcode Fuzzy Hash: a4408146ef460cab551af539e831ab92c5b29fa9073a41be110d1d290c3d8dd6
Instruction Fuzzy Hash: FAC0027780C8C55AEF622A3815751B8AF61E793A00B4C89EDC3D441447D6952926E210

Function 00007FF79232B0F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61379237795740a4421243524e19946e8ca7b2d51c89735acc694ad8f7a246f7
Instruction ID: fb8dd11f56a09b9ede5fd55233c9e9f5823ab8facd3e3672c7d7a54dc0c5b985
Opcode Fuzzy Hash: 61379237795740a4421243524e19946e8ca7b2d51c89735acc694ad8f7a246f7
Instruction Fuzzy Hash: FAC0044794E7C20BE3139A7088226192F7046A790878EC0A3CB84C26D7D88DA8099366

Function 00007FF79232B0E8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955a012982ad6cfdd8961d5dd14c72c3c1b394eb8dd5432c395f4f61fc1d283f
Instruction ID: 20b7a0f421fc790e0bd844dae5861f916282f52907feac1a41c07a65b6bca0f6
Opcode Fuzzy Hash: 955a012982ad6cfdd8961d5dd14c72c3c1b394eb8dd5432c395f4f61fc1d283f
Instruction Fuzzy Hash:

Function 00007FF7923245C0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82f3e827c08fd19ba73e2328c3f35819d3b249727deab1a1e0ca7123c08a8a1
Instruction ID: dc9652978e8b46c4290b0fe43954d37cf75c1448a109fae5d79a8dcd6b869168
Opcode Fuzzy Hash: a82f3e827c08fd19ba73e2328c3f35819d3b249727deab1a1e0ca7123c08a8a1
Instruction Fuzzy Hash:

Function 00007FF79232B068 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6381fa1539c911b83103003f2b337b5421d28f03a24b72a335d6e44ab7f58d51
Instruction ID: c3c79d711dc8b87be67c0e4752e25fd5045f3ce26b47d6ff6dc79caf6e2ebda2
Opcode Fuzzy Hash: 6381fa1539c911b83103003f2b337b5421d28f03a24b72a335d6e44ab7f58d51
Instruction Fuzzy Hash:

Function 00007FF792322CA0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125registrymemorystringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00007FF792322CCA
RegOpenKeyExA.ADVAPI32 ref: 00007FF792322CFD
RegOpenKeyA.ADVAPI32 ref: 00007FF792322D1A
LocalAlloc.KERNEL32 ref: 00007FF792322D3A
RegEnumValueA.ADVAPI32 ref: 00007FF792322D9B
lstrcmpA.KERNEL32 ref: 00007FF792322DD1
RegDeleteValueA.ADVAPI32 ref: 00007FF792322DE5
RegOpenKeyExA.ADVAPI32 ref: 00007FF792322E12
RegOpenKeyA.ADVAPI32 ref: 00007FF792322E2F
RegDeleteValueA.ADVAPI32 ref: 00007FF792322E43
RegCloseKey.ADVAPI32 ref: 00007FF792322E4E
RegEnumValueA.ADVAPI32 ref: 00007FF792322E95
LocalFree.KERNEL32 ref: 00007FF792322EAE
RegCloseKey.ADVAPI32 ref: 00007FF792322EC1

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer, xrefs: 00007FF792322DF1, 00007FF792322E28
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF792322CEF, 00007FF792322D13

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: OpenValue$CloseDeleteEnumLocal$AllocCommandFreeLinelstrcmp
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 977922673-3122858842
Opcode ID: 4d4b936d614c47ce9995d5b5811eaf795889825debfa6f074eff5b6f8549e8fd
Instruction ID: d5589fb16f5629351a2e64e67e8e524115f09df42151b001e5df10f6815ad7e4
Opcode Fuzzy Hash: 4d4b936d614c47ce9995d5b5811eaf795889825debfa6f074eff5b6f8549e8fd
Instruction Fuzzy Hash: 80513332608B8185FB21AF21E8407AAF3A5FB84B94F84417DEA9D43B58DFBCD549C710

Function 00007FF792325080 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 202stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF792325DE0: lstrlenA.KERNEL32 ref: 00007FF792325E27

Part of subcall function 00007FF792325D50: lstrlenA.KERNEL32 ref: 00007FF792325D8B
Part of subcall function 00007FF792325D50: lstrlenA.KERNEL32 ref: 00007FF792325DB4

LocalFree.KERNEL32 ref: 00007FF792325305

Part of subcall function 00007FF792325DE0: LocalAlloc.KERNEL32 ref: 00007FF792325E75

lstrcmpA.KERNEL32 ref: 00007FF79232514B
lstrcmpA.KERNEL32 ref: 00007FF792325166
StrToIntExA.SHLWAPI ref: 00007FF7923251D8
lstrcmpA.KERNEL32 ref: 00007FF79232522D
lstrcpynA.KERNEL32 ref: 00007FF792325257
lstrcpynA.KERNEL32 ref: 00007FF79232528A
GetLastError.KERNEL32 ref: 00007FF7923252BF
LocalFree.KERNEL32 ref: 00007FF7923252CE
LocalFree.KERNEL32 ref: 00007FF7923252DD
LocalFree.KERNEL32 ref: 00007FF7923252EC
LocalFree.KERNEL32 ref: 00007FF7923252FB

Strings

socks, xrefs: 00007FF79232515F
http, xrefs: 00007FF792325144

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: Local$Free$lstrcmplstrlen$lstrcpyn$AllocErrorLast
String ID: http$socks
API String ID: 1651737292-202976403
Opcode ID: 94a48dea6e8920c907405bd2dc88822abc89cd400761f62907b2530ebbb26e4d
Instruction ID: 5ace58c4dd56b112459f903b42c29bb49818da2139f3b50613a515c9b0a5dec4
Opcode Fuzzy Hash: 94a48dea6e8920c907405bd2dc88822abc89cd400761f62907b2530ebbb26e4d
Instruction Fuzzy Hash: 63818322B1861285FB28FF7199446BDA365BF44B88FC0107DDE0E53A94DFB8E646C360

Function 00007FF792322170 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 88processsynchronizationCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF7923221AA
CloseHandle.KERNEL32 ref: 00007FF7923221BE
GetStartupInfoA.KERNEL32 ref: 00007FF7923221DF
CreateProcessA.KERNEL32 ref: 00007FF792322229
WaitForSingleObject.KERNEL32 ref: 00007FF792322245
TerminateProcess.KERNEL32 ref: 00007FF79232225B
CloseHandle.KERNEL32 ref: 00007FF79232227D
CloseHandle.KERNEL32 ref: 00007FF792322288

Strings

30D78F9B-C56E-472C-8A29-E91111115, xrefs: 00007FF7923222A1

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CreateInfoObjectSingleStartupTerminateWaitclosesocket
String ID: 30D78F9B-C56E-472C-8A29-E91111115
API String ID: 3546384811-2607164518
Opcode ID: c6739ca2ae6a13fbcbd2b6d1d2a7a3e647980335907db84081b347a6887bbbab
Instruction ID: 795057e27d0723ecccaa20fca18e81d66c990fbab92529c9808a39306382a247
Opcode Fuzzy Hash: c6739ca2ae6a13fbcbd2b6d1d2a7a3e647980335907db84081b347a6887bbbab
Instruction Fuzzy Hash: 5141EB3191CB4282FB60BB61E84436AE3A1FF94790F90457DD98D46A64DFBCF485CB60

Function 00007FF7923257E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF792323FB0: gethostbyname.WS2_32 ref: 00007FF792323FD0
Part of subcall function 00007FF792323FB0: inet_addr.WS2_32 ref: 00007FF792323FE1

socket.WS2_32 ref: 00007FF792325840
WSAGetLastError.WS2_32 ref: 00007FF79232584F

Strings

Z, xrefs: 00007FF7923258E9

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastgethostbynameinet_addrsocket
String ID: Z
API String ID: 1837667487-1505515367
Opcode ID: 78e4a5df49b98a024ca9cb515cfde3272df46432125bda3cb33814f8367d651f
Instruction ID: cd0441d531b6b36f09fee73c70d147d7d47b4e973d4a2089d5d400f16da5c60a
Opcode Fuzzy Hash: 78e4a5df49b98a024ca9cb515cfde3272df46432125bda3cb33814f8367d651f
Instruction Fuzzy Hash: 2C318322A1864581F678BB31E4447B9B260FF49B74F80137DEA6E46AD4DFBCD544C720

Function 00007FF792325950 Relevance: 13.6, APIs: 9, Instructions: 106networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF792323FB0: gethostbyname.WS2_32 ref: 00007FF792323FD0
Part of subcall function 00007FF792323FB0: inet_addr.WS2_32 ref: 00007FF792323FE1

socket.WS2_32 ref: 00007FF7923259B0
WSAGetLastError.WS2_32 ref: 00007FF7923259BF

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastgethostbynameinet_addrsocket
String ID:
API String ID: 1837667487-0
Opcode ID: aa8693d1c8d03eacc3825fc6779a4fed3fed2c8509551fa53c11dcfeebd77fde
Instruction ID: 88f347aa9721066cafd8310572c0770fbd5d4b9c5ce3c652d0dbf827357bc2f5
Opcode Fuzzy Hash: aa8693d1c8d03eacc3825fc6779a4fed3fed2c8509551fa53c11dcfeebd77fde
Instruction Fuzzy Hash: 5F419221A1868181F775BB31E4857B9A3A1FB48770F94137DEA6E02AD4DFBCD548CB10

Function 00007FF792324D70 Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF792324D9C
LeaveCriticalSection.KERNEL32 ref: 00007FF792324DE0

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 958dbccbd1fbf5c21257f8691a4d2ad849c25a8524c0973bdedd82df4990e226
Instruction ID: b09d4d397f60c9ff2ae6ca2d2fb4c8a82bf5d1aadb2ed8884338037943abf2ea
Opcode Fuzzy Hash: 958dbccbd1fbf5c21257f8691a4d2ad849c25a8524c0973bdedd82df4990e226
Instruction Fuzzy Hash: 8331EF61E1C65282F630BB30B40053AE361FF94BA4F94137DEA5D02AA9DFACE448C720

Function 00007FF792325B20 Relevance: 7.6, APIs: 5, Instructions: 61networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF792325B92
__WSAFDIsSet.WS2_32 ref: 00007FF792325BA9
__WSAFDIsSet.WS2_32 ref: 00007FF792325BBD
recv.WS2_32 ref: 00007FF792325BDF
WSAGetLastError.WS2_32 ref: 00007FF792325BF0

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: ErrorLastrecvselect
String ID:
API String ID: 2792163092-0
Opcode ID: 5fc93c11fa2c1f7786afaa37de16675dca183815d4d8ea10c6b54cbc3c1290db
Instruction ID: 618715ee29f484961951ee2d91b29bd66393cd36b541ef8974904d7e37c39b60
Opcode Fuzzy Hash: 5fc93c11fa2c1f7786afaa37de16675dca183815d4d8ea10c6b54cbc3c1290db
Instruction Fuzzy Hash: 0A21B3A160C78281F774BB75A94437AA251AF85794F80127DFE4D82ED4DFBCD505CA10

Function 00007FF792324040 Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF792324049
GetCurrentProcessId.KERNEL32 ref: 00007FF79232404F
GetCurrentThreadId.KERNEL32 ref: 00007FF792324055
ExitProcess.KERNEL32 ref: 00007FF792324073

Memory Dump Source

Source File: 00000000.00000002.2555584235.00007FF792321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF792320000, based on PE: true

Associated: 00000000.00000002.2555558138.00007FF792320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555609498.00007FF792328000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2555625467.00007FF79232A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff792320000_mG31YklE0k.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitThread
String ID:
API String ID: 2249902822-0
Opcode ID: 95b05f36fe5a8d2e56da26327f11ad70a9561a9186ee40ff299f0a290bec8e87
Instruction ID: 33f2555c54755f3b7d03c7a2a2d3b75d5e8533b18fcc48805d9d8d703454250b
Opcode Fuzzy Hash: 95b05f36fe5a8d2e56da26327f11ad70a9561a9186ee40ff299f0a290bec8e87
Instruction Fuzzy Hash: CDE0EC61E1891A82F7247771E85C238A321BF18B21F84417CC519063A4DEAC789AC310

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mG31YklE0k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Tmp13AC.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
mG31YklE0k.exe

Function 00007FF792321B50 Relevance: 96.6, APIs: 51, Strings: 4, Instructions: 388
memorypipenetworkCOMMON

Function 00007FF792322F00 Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 171
networksleepstringCOMMON

Function 00007FF7923245D0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 115
encryptionstringCOMMON

Function 00007FF792324780 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 100
encryptionmemorystringCOMMON

Function 00007FF792324BE0 Relevance: 24.1, APIs: 16, Instructions: 97
memoryCOMMON

Function 00007FF792323D20 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 75
libraryloadermemoryCOMMON

Function 00007FF792324130 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 133
encryptionCOMMON

Function 00007FF7923243C0 Relevance: 13.6, APIs: 9, Instructions: 71
encryptionCOMMON

Function 00007FF792324080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43
threadCOMMON