Edit tour

Windows Analysis Report
update_390_391.exe

Overview

General Information

Sample name:	update_390_391.exe
Analysis ID:	1468065
MD5:	c2c9b0b8b275defd42be10314f13b480
SHA1:	1a268efea3cc2f56ddb154487e501550f0540696
SHA256:	04ce55570cf7a827499636a577617bcdc80bfb1239f8b71caa7559a90f30b528
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

update_390_391.exe (PID: 4044 cmdline: "C:\Users\user\Desktop\update_390_391.exe" MD5: C2C9B0B8B275DEFD42BE10314F13B480)

update_390_391.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\update_390_391.exe" MD5: C2C9B0B8B275DEFD42BE10314F13B480)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
update_390_391.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1176732125.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: update_390_391.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: update_390_391.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: clean0.winEXE@2/2@0/0

Source: C:\Users\user\Desktop\update_390_391.exe

File created: C:\Users\user\Desktop\ _avk_0.0.0.txt

Source: Yara match	File source: update_390_391.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1176732125.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: update_390_391.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\update_390_391.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\update_390_391.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\update_390_391.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\update_390_391.exe

File read: C:\Users\user\Desktop\update_390_391.exe

Source: unknown	Process created: C:\Users\user\Desktop\update_390_391.exe "C:\Users\user\Desktop\update_390_391.exe"
Source: unknown	Process created: C:\Users\user\Desktop\update_390_391.exe "C:\Users\user\Desktop\update_390_391.exe"

Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\update_390_391.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\update_390_391.exe

Window found: window name: TButton

Source: update_390_391.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: update_390_391.exe

Static file information: File size 28808560 > 1048576

Source: update_390_391.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x133800

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
update_390_391.exe	0%	ReversingLabs
update_390_391.exe	5%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468065
Start date and time:	2024-07-05 09:50:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	update_390_391.exe
Detection:	CLEAN
Classification:	clean0.winEXE@2/2@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\Desktop\ _avk_0.0.0.txt

Download File

Process:	C:\Users\user\Desktop\update_390_391.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	332
Entropy (8bit):	3.6014829069277465
Encrypted:	false
SSDEEP:
MD5:	7E13A91153CABFE9DFED5FD0B5F0F1CB
SHA1:	42FE54AC6C58D67CDF4AF3E727F5D800BA33F6D2
SHA-256:	1FC27D5091274C01DF8AE538DA538F41DC239069E9E830049B6543443CF1136F
SHA-512:	482ABD86DC5D7B5C34C627C322F93BF9B956F55092B3E651B0AF187DB2A58984A2940BF90341BB237E9EB233E979C68FF8370A1A69FEA436DAB0E6AA8A35F94E
Malicious:	false
Reputation:	unknown
Preview:	...... 05/07/2024 03:51:30.....???? ???????: "English"..1. ??????????..1.1. ????????? "C:\Users\user\Desktop\update_390_391.exe"..1.2. ?????????????..1.3. ????????? ??????????? ??????????? ????????? ????????..1.4. ????? ????? "avk.exe".....???????? "update_390_391.exe" ??????? ???????????? ? ????? ???-5..1.4. ???????..1. ???????..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.9661758417480995
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Windows Screen Saver (13104/52) 0.13% DOS Executable Borland C++ (13009/5) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	update_390_391.exe
File size:	28'808'560 bytes
MD5:	c2c9b0b8b275defd42be10314f13b480
SHA1:	1a268efea3cc2f56ddb154487e501550f0540696
SHA256:	04ce55570cf7a827499636a577617bcdc80bfb1239f8b71caa7559a90f30b528
SHA512:	828d426fffa04eedc6137e88fce528a0a88d37c6d5ae412bf3ff644362a4b3df14090af55cb63baaac03d35d5b5b06a09cd946841693d0f5be2ab859b8f0ca82
SSDEEP:	786432:z9sg4J3dqRxyp0S0CajM0mSFJOS9h2fuhD:P4JNq78VAnB0ah2GF
TLSH:	B7573326B860C533C06927749D2AF7B0607AFF447A2551D732E07E0E3FB5E923D26986
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	66ece47474363a58

Static PE Info

General

Entrypoint:	0x401798
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x6662B53C [Fri Jun 7 07:22:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	499cf71d4de8210851bd4e2772ff9278

Entrypoint Preview

Instruction
jmp 00007F27B4B40622h
bound di, dword ptr [edx]
inc ebx
sub ebp, dword ptr [ebx]
dec eax
dec edi
dec edi
dec ebx
nop
jmp 00007F27B50756ADh
mov eax, dword ptr [0053508Bh]
shl eax, 02h
mov dword ptr [0053508Fh], eax
push edx
push 00000000h
call 00007F27B4C72C5Eh
mov edx, eax
call 00007F27B4C66BDBh
pop edx
call 00007F27B4C66B39h
call 00007F27B4C66C10h
push 00000000h
call 00007F27B4C6802Dh
pop ecx
push 00535034h
push 00000000h
call 00007F27B4C72C38h
mov dword ptr [00535093h], eax
push 00000000h
jmp 00007F27B4C6DA74h
jmp 00007F27B4C6805Bh
xor eax, eax
mov al, byte ptr [0053507Dh]
ret
mov eax, dword ptr [00535093h]
ret
pushad
mov ebx, BCB05000h
push ebx
push 00000BADh
ret
mov ecx, 000000B4h
or ecx, ecx
je 00007F27B4B4065Fh
cmp dword ptr [0053508Bh], 00000000h
jnc 00007F27B4B4061Ch
mov eax, 000000FEh
call 00007F27B4B405ECh
mov ecx, 000000B4h
push ecx
push 00000008h
call 00007F27B4C72BFBh
push eax
call 00007F27B4C72C7Fh
or eax, eax
jne 00007F27B4B4061Ch
mov eax, 000000FDh
call 00007F27B4B405CBh
push eax
push eax
push dword ptr [0053508Bh]
call 00007F27B4C6DC3Eh
push dword ptr [0053508Bh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169000	0x2dfc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16c000	0x69e20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d6000	0x13ae0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x168000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x134000	0x133800	58b04912a5d3624a4a491c6b93776ac6	False	0.4938944994918699	data	6.548327546590203	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x135000	0x32000	0x2b200	fabc95adc67aed38e18ff4e5328ac09e	False	0.2225373641304348	data	4.333810078949944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x167000	0x1000	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x168000	0x1000	0x200	5b2f1aa10339084143d88a737298f3d6	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata	0x169000	0x3000	0x2e00	de9a92dd42df4f2e7c7fe9007d2192d9	False	0.32693614130434784	data	5.274162404137791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x16c000	0x69e20	0x6a000	86dbd8981bf1f896d733b455f1232078	False	0.17861650574882076	data	3.7785925360231953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1d6000	0x14000	0x13c00	171afce45fe774a28f60e1ad67ed81b4	False	0.5782486155063291	data	6.586797919077141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x16d070	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x16d1a4	0x134	data			0.4642857142857143
RT_CURSOR	0x16d2d8	0x134	data			0.4805194805194805
RT_CURSOR	0x16d40c	0x134	data			0.38311688311688313
RT_CURSOR	0x16d540	0x134	data			0.36038961038961037
RT_CURSOR	0x16d674	0x134	data			0.4090909090909091
RT_CURSOR	0x16d7a8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x16d8dc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m			0.33620689655172414
RT_BITMAP	0x16d9c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x16db94	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x16dd78	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x16df48	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x16e118	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x16e2e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x16e4b8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x16e688	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x16e858	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x16ea28	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x16ebf8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/m			0.6551724137931034
RT_BITMAP	0x16ece0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/m			0.5905172413793104
RT_BITMAP	0x16edc8	0x88	Device independent bitmap graphic, 8 x 8 x 4, image size 32, resolution 2835 x 2835 px/m			0.6985294117647058
RT_BITMAP	0x16ee50	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768			0.4344059405940594
RT_BITMAP	0x16f178	0x88	Device independent bitmap graphic, 8 x 8 x 4, image size 32, resolution 2835 x 2835 px/m			0.6911764705882353
RT_BITMAP	0x16f200	0x88	Device independent bitmap graphic, 8 x 8 x 4, image size 32, resolution 2835 x 2835 px/m			0.6985294117647058
RT_BITMAP	0x16f288	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768			0.3353960396039604
RT_BITMAP	0x16f5b0	0x88	Device independent bitmap graphic, 8 x 8 x 4, image size 32, resolution 2835 x 2835 px/m			0.6985294117647058
RT_BITMAP	0x16f638	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0x16f720	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Russian	Russia	0.3185483870967742
RT_DIALOG	0x16fa08	0x52	data			0.7682926829268293
RT_STRING	0x16fa5c	0x124	Matlab v4 mat-file (little endian) 7\004K\004:\004 , numeric, rows 0, columns 0	Russian	Russia	0.5171232876712328
RT_STRING	0x16fb80	0x318	data	Russian	Russia	0.3813131313131313
RT_STRING	0x16fe98	0x5a4	data	Russian	Russia	0.3157894736842105
RT_STRING	0x17043c	0x8ac	data	Russian	Russia	0.3346846846846847
RT_STRING	0x170ce8	0x6ae	data	Russian	Russia	0.3280701754385965
RT_STRING	0x171398	0x740	data	Russian	Russia	0.3232758620689655
RT_STRING	0x171ad8	0x5fc	data	Russian	Russia	0.33159268929503916
RT_STRING	0x1720d4	0x5c8	data	Russian	Russia	0.3668918918918919
RT_STRING	0x17269c	0x5bc	Targa image data 1082 x 1072 x 32 +1080 +1090 "8\004A\004E\004>\0044\004=\004K\004E\004 "	Russian	Russia	0.3971389645776567
RT_STRING	0x172c58	0x30e	data	Russian	Russia	0.3797953964194373
RT_STRING	0x172f68	0x5ca	data	Russian	Russia	0.3616734143049933
RT_STRING	0x173534	0x816	data	Russian	Russia	0.3169082125603865
RT_STRING	0x173d4c	0x168	Targa image data - Color 99 x 107 x 32 +68 +111 "z"			0.5194444444444445
RT_STRING	0x173eb4	0x314	data			0.4619289340101523
RT_STRING	0x1741c8	0xd8	data			0.5879629629629629
RT_STRING	0x1742a0	0x178	data			0.5186170212765957
RT_STRING	0x174418	0x238	data			0.4753521126760563
RT_STRING	0x174650	0x3c4	data			0.3848547717842324
RT_STRING	0x174a14	0x3d4	data			0.39081632653061227
RT_STRING	0x174de8	0x1b4	data			0.4610091743119266
RT_STRING	0x174f9c	0xec	data			0.5550847457627118
RT_STRING	0x175088	0x198	data			0.5171568627450981
RT_STRING	0x175220	0x398	data			0.3358695652173913
RT_STRING	0x1755b8	0x374	data			0.417420814479638
RT_STRING	0x17592c	0x2b8	data			0.3850574712643678
RT_STRING	0x175be4	0x42c	data			0.3838951310861423
RT_STRING	0x176010	0x39c	data			0.3538961038961039
RT_STRING	0x1763ac	0x478	data			0.38548951048951047
RT_RCDATA	0x176824	0x31cf4	Delphi compiled form 'TDMessages'			0.2022938927556122
RT_RCDATA	0x1a8518	0x2b6ff	Delphi compiled form 'TDM_Misc'			0.11476008745552752
RT_RCDATA	0x1d3c18	0x480	Delphi compiled form 'TFEditForm'			0.4522569444444444
RT_RCDATA	0x1d4098	0x2d4	Delphi compiled form 'TFLog'			0.6174033149171271
RT_RCDATA	0x1d436c	0x1b9	Delphi compiled form 'TFrmStatus'			0.7120181405895691
RT_RCDATA	0x1d4528	0xbdc	Delphi compiled form 'TFrm_SelDst'			0.39492753623188404
RT_RCDATA	0x1d5104	0x422	Delphi compiled form 'TViewPrt'			0.552930056710775
RT_GROUP_CURSOR	0x1d5528	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1d553c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1d5550	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1d5564	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1d5578	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1d558c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1d55a0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x1d55b4	0x14	data	Russian	Russia	1.2
RT_MANIFEST	0x1d55c8	0x855	XML 1.0 document, ISO-8859 text, with CRLF line terminators			0.39990623534927333

Imports

DLL	Import
ADVAPI32.DLL	RegCloseKey, RegOpenKeyA, RegOpenKeyExA, RegQueryValueExA
KERNEL32.DLL	CloseHandle, CompareStringA, CopyFileA, CreateDirectoryA, CreateEventA, CreateFileA, CreateFileMappingA, CreateMutexA, CreateProcessA, CreateThread, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, EnumCalendarInfoA, ExitProcess, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FindResourceA, FlushFileBuffers, FormatMessageA, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetDiskFreeSpaceA, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentStrings, GetFileAttributesA, GetFileSize, GetFileTime, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetLogicalDrives, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProfileStringA, GetStartupInfoA, GetStdHandle, GetStringTypeExA, GetStringTypeW, GetSystemInfo, GetSystemTime, GetThreadLocale, GetTickCount, GetUserDefaultUILanguage, GetVersion, GetVersionExA, GetWindowsDirectoryA, GlobalAddAtomA, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomA, GlobalFree, GlobalHandle, GlobalLock, GlobalReAlloc, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MapViewOfFile, MoveFileA, MulDiv, MultiByteToWideChar, QueryDosDeviceA, RaiseException, ReadFile, ReleaseMutex, RemoveDirectoryA, ResetEvent, RtlUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryA, SetEndOfFile, SetErrorMode, SetEvent, SetFileAttributesA, SetFilePointer, SetHandleCount, SetLastError, SetThreadLocale, SizeofResource, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcmpA, lstrcpyA, lstrcpynA, lstrlenA, GetVolumeInformationA
MPR.DLL	WNetGetConnectionA
VERSION.DLL	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, EnumPrintersA, OpenPrinterA
COMCTL32.DLL	ImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetDragCursorImage, ImageList_SetIconSize, ImageList_Write
GDI32.DLL	BitBlt, CombineRgn, CopyEnhMetaFileA, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCA, CreateDIBSection, CreateDIBitmap, CreateFontIndirectA, CreateHalftonePalette, CreateICA, CreatePalette, CreatePen, CreatePenIndirect, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, Ellipse, EndDoc, EndPage, ExcludeClipRect, ExtCreatePen, ExtTextOutA, GetBitmapBits, GetBrushOrgEx, GetCharABCWidthsA, GetCharWidth32A, GetClipBox, GetCurrentPositionEx, GetDCOrgEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetObjectA, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextExtentPoint32A, GetTextExtentPointA, GetTextMetricsA, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, PlayEnhMetaFile, PolyBezier, PolyPolyline, Polyline, RealizePalette, RectVisible, Rectangle, RestoreDC, RoundRect, SaveDC, SelectObject, SelectPalette, SetAbortProc, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetEnhMetaFileBits, SetMapMode, SetPixel, SetROP2, SetStretchBltMode, SetTextAlign, SetTextColor, SetViewportExtEx, SetViewportOrgEx, SetWinMetaFileBits, SetWindowExtEx, SetWindowOrgEx, StartDocA, StartPage, StretchBlt, TextOutA, UnrealizeObject
SHELL32.DLL	ExtractIconExA, SHGetSpecialFolderLocation, SHGetPathFromIDListA
USER32.DLL	ActivateKeyboardLayout, AdjustWindowRectEx, BeginPaint, BringWindowToTop, CallNextHookEx, CallWindowProcA, CharLowerA, CharLowerBuffA, CharNextA, CharUpperBuffA, CheckMenuItem, ChildWindowFromPoint, ClientToScreen, CloseClipboard, CountClipboardFormats, CreateIcon, CreateIconIndirect, CreateMenu, CreatePopupMenu, CreateWindowExA, DefFrameProcA, DefMDIChildProcA, DefWindowProcA, DeleteMenu, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextA, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndPaint, EnumClipboardFormats, EnumThreadWindows, EnumWindows, EqualRect, FillRect, FindWindowA, FrameRect, GetActiveWindow, GetCapture, GetCaretPos, GetClassInfoA, GetClassNameA, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextA, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuState, GetMenuStringA, GetMessagePos, GetMessageTime, GetParent, GetPropA, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTopWindow, GetUpdateRect, GetWindow, GetWindowDC, GetWindowLongA, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, InflateRect, InsertMenuA, InsertMenuItemA, IntersectRect, InvalidateRect, IsCharAlphaA, IsCharAlphaNumericA, IsChild, IsClipboardFormatAvailable, IsDialogMessageA, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapA, LoadCursorA, LoadIconA, LoadKeyboardLayoutA, LoadStringA, MapVirtualKeyA, MapWindowPoints, MessageBeep, MessageBoxA, MoveWindow, OemToCharA, OemToCharBuffA, OffsetRect, OpenClipboard, PeekMessageA, PostMessageA, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassA, RegisterClipboardFormatA, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, ScreenToClient, ScrollWindow, ScrollWindowEx, SendMessageA, SetActiveWindow, SetCapture, SetClassLongA, SetClipboardData, SetCursor, SetFocus, SetForegroundWindow, SetKeyboardState, SetMenu, SetMenuItemInfoA, SetPropA, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongA, SetWindowPlacement, SetWindowPos, SetWindowTextA, SetWindowsHookExA, ShowCursor, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnionRect, UnregisterClassA, UpdateWindow, ValidateRect, WaitMessage, WinHelpA, WindowFromPoint, wsprintfA, GetSysColor
OLE32.DLL	CoCreateInstance, CoInitialize, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
OLEAUT32.DLL	GetErrorInfo, SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayRedim, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report update_390_391.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\Desktop\ _avk_0.0.0.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
update_390_391.exe