Edit tour

Windows Analysis Report
Foto_03_02_2014_IMG_544134.zip

Overview

General Information

Sample name:	Foto_03_02_2014_IMG_544134.zip
Analysis ID:	1470680
MD5:	fefbf9b040c05a2e5c7ed8b91205fccf
SHA1:	0556f3500b2a7fd5ecad1111cc010c14bd1a65bf
SHA256:	b5e053d9af642ecf7ac6efbf45246445960db2fd919a2778c41ee49f8b1dc6a8

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Checks if the current process is being debugged

One or more processes crash

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 1388 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Foto_03_02_2014_IMG_700453.JPEG.exe (PID: 5964 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe" MD5: 58AA59A93C27B7E0EF2C88DAE5D37FC4)

WerFault.exe (PID: 424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 264 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Foto_03_02_2014_IMG_544134.zip	ReversingLabs: Detection: 86%
Source: Foto_03_02_2014_IMG_544134.zip	Virustotal: Detection: 76%			Perma Link

Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 264

Source: classification engine

Classification label: mal48.winZIP@3/4@0/10

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6973cbbc-09ba-49c6-a4f5-9d0667595cd9

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Foto_03_02_2014_IMG_544134.zip	ReversingLabs: Detection: 86%
Source: Foto_03_02_2014_IMG_544134.zip	Virustotal: Detection: 76%

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe "C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 264

Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe	Section loaded: winmm.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\Temp1_Foto_03_02_2014_IMG_544134.zip\Foto_03_02_2014_IMG_700453.JPEG.exe

Process queried: DebugPort

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
Foto_03_02_2014_IMG_544134.zip	86%	ReversingLabs	Win32.Trojan.Zeus
Foto_03_02_2014_IMG_544134.zip	77%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.189.173.20	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1470680
Start date and time:	2024-07-10 10:38:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Foto_03_02_2014_IMG_544134.zip
Detection:	MAL
Classification:	mal48.winZIP@3/4@0/10
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_foto_03_02_2014__9a92d512c450924d6845bf42ffb3fdf55ac3d4e_0a9ceb8c_79a03f46-543c-474a-8bda-93b27daf0fda\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7149262416592619
Encrypted:	false
SSDEEP:
MD5:	029B390710937A441B08678F29FD0F79
SHA1:	8B44225F2FAEDD7142BF57AA6294BCECE5D535D3
SHA-256:	6272C2888C4D835245237E95682931AE8F7F86A0910EBFA143E19F256F2C004A
SHA-512:	FF418F9AF40F519E86ED73E3AC5AB67CAFFD9221915D53414F0895F2E3DF8ADD361FE19D384CCF87687A71C1133D89B65E881E305D308F7203E5C2EFE0702F11
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.7.4.3.4.5.4.4.6.8.1.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.0.7.4.3.4.5.7.1.6.8.1.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.a.0.3.f.4.6.-.5.4.3.c.-.4.7.4.a.-.8.b.d.a.-.9.3.b.2.7.d.a.f.0.f.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.3.1.1.c.6.8.-.c.6.4.9.-.4.6.3.0.-.a.e.a.2.-.1.c.1.5.7.b.7.2.f.f.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.o.t.o._.0.3._.0.2._.2.0.1.4._.i.m.g._.7.0.0.4.5.3...j.p.e.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.c.-.0.0.0.1.-.0.0.1.7.-.8.5.a.1.-.b.4.9.e.a.4.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.9.0.5.1.3.9.6.3.1.8.d.4.3.f.d.5.9.8.3.7.9.a.e.d.e.f.8.5.1.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.8.5.f.2.8.d.2.0.6.6.1.d.3.5.e.5.5.b.1.3.b.6.e.6.2.2.5.f.1.9.7.d.7.8.7.e.0.9.0.a.!.F.o.t.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B75.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jul 10 08:39:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	37064
Entropy (8bit):	1.7230640980008778
Encrypted:	false
SSDEEP:
MD5:	0E322A747778612ED50B16F2B7F00C2F
SHA1:	8D836D2D32CB162AE9EB977432997014FED1C6E8
SHA-256:	EA48668B697307F940FAC3860E3A4B3AC3B661585829B9EB0A37DCBC7ECD4A69
SHA-512:	514E1E1C491CDA3EA52749CE86C621CF5F2460382C25E604CD8E5B9A601234003A40875D7DFAC11919EF4B883CAC3014D4AD6E415B80E739ADA89171E22ED87B
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........H.f........................................Z...........T.......8...........T...........................t...........`...............................................................................eJ..............GenuineIntel............T.......L....H.f............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BC4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8426
Entropy (8bit):	3.7043453531130908
Encrypted:	false
SSDEEP:
MD5:	2D6EE64258442A6C4E916BF93838214C
SHA1:	A1221DB1DC41A3497795B4D5B6B076F274A34981
SHA-256:	EAEC11082ADB15DA838B6F921FD02E130DACF22FFA99BD4DE7E6A58AE3865F56
SHA-512:	9F685605D1075EA36D95C3A6F0B416469BEC11227C36FE88F13E5D2FE06AB4A9D19245099969708234BCE4D8CD1A520765F87BFBC1E633BD1759EC18F4FE9F03
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BF4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.526436525549738
Encrypted:	false
SSDEEP:
MD5:	07007B3CA359F32FD38090181BC0E95E
SHA1:	509354E0A52CA86C286CAF5460631BD245E6121B
SHA-256:	3DE4832DFED9ECB2CE76C375573C7849B7D4E0630BA999248B9155ED61696936
SHA-512:	4A6F9671690CF6C7412623A90532E4E95D7C29BC204C8F0660B51BDA1FDF497C9ACA27DF120192F36E2A596356847765EA4CF881A326C9B74958E80DA9373A07
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="404621" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.999261975725657
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Foto_03_02_2014_IMG_544134.zip
File size:	242'004 bytes
MD5:	fefbf9b040c05a2e5c7ed8b91205fccf
SHA1:	0556f3500b2a7fd5ecad1111cc010c14bd1a65bf
SHA256:	b5e053d9af642ecf7ac6efbf45246445960db2fd919a2778c41ee49f8b1dc6a8
SHA512:	0bb44a8f7515175ddfee236e364e26864473040eec9e6a4bfc694b082fcb6ed2ed0961888cfdf0ac2bae79ba1bbedcf880e059aa2105f19dfa3f46e2b515c7bc
SSDEEP:	6144:gh3M6TvUsufLyl7DeL2SPYtpqFaSmLpOMnrsfyBy3+Rl+3cMkqBEo:UkLyBD+2Ss00/L1rsfqRs38qCo
TLSH:	01342310F449CB4186C606294EE6EF59687079B10FB312DC7FAB3A8650FE9F87DA5442
File Content Preview:	PK.........jCD............#...Foto_03_02_2014_IMG_700453.JPEG.exe.ZyX.E....lk`S..5j.[E...j....Em5..VJ.Z....(*Pp........}.y... ......zoM.j...].ovs..z.........{.y.f.....^.Y9....:.-........o..Oep..ym.2.....]w.Y..3.8...N..p...............O...Y.9....I..c%S...q

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Foto_03_02_2014_IMG_544134.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Hooking and other Techniques for Hiding and Protection

Anti Debugging

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_foto_03_02_2014__9a92d512c450924d6845bf42ffb3fdf55ac3d4e_0a9ceb8c_79a03f46-543c-474a-8bda-93b27daf0fda\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B75.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BC4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BF4.tmp.xml

Static File Info

General

File Icon

Windows Analysis Report
Foto_03_02_2014_IMG_544134.zip