Edit tour

Windows Analysis Report
LisectAVT_2403002A_416.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_416.exe
Analysis ID:	1481047
MD5:	a638c42d9952eb79dda11c2895bb9e3d
SHA1:	dd079c7cb8e89203b995c1cd4a5908effe3ff663
SHA256:	a76a0fc6a1da492c092cc494e77b8ac0578741d0bbc32dbd865c7970389a67cd
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Detected Stratum mining protocol

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected potential crypto function

Entry point lies outside standard sections

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_416.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_416.exe" MD5: A638C42D9952EB79DDA11C2895BB9E3D)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 8124 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3847942578.00000000005A4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x134b10:$a1: mining.set_target 0x12bb30:$a2: XMRIG_HOSTNAME 0x131408:$a3: Usage: xmrig [OPTIONS] 0x12bb08:$a4: XMRIG_VERSION
Process Memory Space: LisectAVT_2403002A_416.exe PID: 7540	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: LisectAVT_2403002A_416.exe PID: 7540	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x7cad8:$a1: mining.set_target 0x77dad:$a2: XMRIG_HOSTNAME 0x797f0:$a3: Usage: xmrig [OPTIONS] 0x77d8e:$a4: XMRIG_VERSION

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 8124, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T03:30:19.335638+0200
SID:	2022930
Source Port:	443
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T03:29:38.575377+0200
SID:	2022930
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.8 - Destination IP: 5.75.158.61

Timestamp:	2024-07-25T03:29:16.239082+0200
SID:	2826930
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_416.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: auto.c3pool.org

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: LisectAVT_2403002A_416.exe	ReversingLabs: Detection: 39%
Source: LisectAVT_2403002A_416.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_416.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.3847942578.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_416.exe PID: 7540, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.8:49707 -> 5.75.158.61:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 66 78 69 52 50 59 31 67 71 32 6b 45 67 53 47 47 4c 31 75 51 4e 75 6f 59 47 51 42 58 54 6d 54 31 65 46 62 38 76 42 56 34 31 62 45 6f 43 43 58 58 41 61 66 61 6f 52 51 59 74 52 58 66 70 6b 6f 7a 4b 6e 41 54 67 48 38 7a 76 36 39 36 67 59 70 45 68 4b 64 6e 32 71 38 68 45 70 69 4b 77 22 2c 22 70 61 73 73 22 3a 22 6d 79 79 65 72 70 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 31 2e 30 20 6d 73 76 63 2f 32 30 31 37 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8bfxirpy1gq2kegsggl1uqnuoygqbxtmt1efb8vbv41beoccxxaafaorqytrxfpkozknatgh8zv696gypehkdn2q8hepikw","pass":"myyerp","agent":"xmrig/6.19.2 (windows nt 10.0; win64; x64) libuv/1.31.0 msvc/2017","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

Found strings related to Crypto-Mining

Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: "url": "monerohash.com:80",
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.19.2

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: auto.c3pool.org

Source: ~DFEB4C8172AFF7D925.TMP.0.dr	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: LisectAVT_2403002A_416.exe PID: 7540, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file contains section with special chars

Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Code function: 0_2_00581A48

0_2_00581A48

Source: LisectAVT_2403002A_416.exe

Static PE information: Number of sections : 15 > 10

Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1659074573.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejava.exe\: vs LisectAVT_2403002A_416.exe
Source: LisectAVT_2403002A_416.exe, 00000000.00000000.1387081246.0000000140808000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejava.exe\: vs LisectAVT_2403002A_416.exe
Source: LisectAVT_2403002A_416.exe	Binary or memory string: OriginalFilenamejava.exe\: vs LisectAVT_2403002A_416.exe

Source: 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: LisectAVT_2403002A_416.exe PID: 7540, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: LisectAVT_2403002A_416.exe	Static PE information: Section: ZLIB complexity 1.0071614583333333
Source: LisectAVT_2403002A_416.exe	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.evad.mine.winEXE@3/1@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEB4C8172AFF7D925.TMP

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_416.exe	ReversingLabs: Detection: 39%
Source: LisectAVT_2403002A_416.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe "C:\Users\user\Desktop\LisectAVT_2403002A_416.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002A_416.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_416.exe

Static file information: File size 8455189 > 1048576

Source: LisectAVT_2403002A_416.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x17e800
Source: LisectAVT_2403002A_416.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x5cec00

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: LisectAVT_2403002A_416.exe

Static PE information: real checksum: 0x812fd3 should be: 0x812fd8

Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name:
Source: LisectAVT_2403002A_416.exe	Static PE information: section name: .themida
Source: LisectAVT_2403002A_416.exe	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0014D790 pushad ; retf	0_2_0014D831
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0014EC12 push ebp; retf	0_2_0014EC23
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0014EB01 push ebp; retf	0_2_0014EB23
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0014FF23 push ebp; retf	0_2_0014FF2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0058964A push eax; retf	0_2_0058966A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_005810CC push esp; retf	0_2_005810DB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00589740 pushad ; ret	0_2_00589741
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00583302 push esp; retf	0_2_0058334B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00582D7A push esp; retf	0_2_00582D7B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00580DE9 push ebp; retf	0_2_005810CB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00582CA9 push esp; retf	0_2_00582CB3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_00587020 pushad ; ret	0_2_00587021
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Code function: 0_2_0211FBE8 push ebp; retf	0_2_0211FF2B

Source: LisectAVT_2403002A_416.exe	Static PE information: section name: entropy: 7.82486117848576
Source: LisectAVT_2403002A_416.exe	Static PE information: section name: entropy: 7.863282666933349
Source: LisectAVT_2403002A_416.exe	Static PE information: section name: entropy: 7.760464066702744

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1679209230.00000000005A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: LisectAVT_2403002A_416.exe, 00000000.00000003.1679209230.00000000005A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: LisectAVT_2403002A_416.exe, 00000000.00000002.3848285737.0000000002616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	NtQueryInformationProcess: Indirect: 0x140DC6747	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	NtQueryInformationProcess: Indirect: 0x140E12806	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	NtSetInformationThread: Indirect: 0x140E1206C	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_416.exe	NtQuerySystemInformation: Indirect: 0x140DC14F9	Jump to behavior

Source: conhost.exe, 00000002.00000002.3848582527.000002231E220000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.3848582527.000002231E220000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.3848582527.000002231E220000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: conhost.exe, 00000002.00000002.3848582527.000002231E220000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	32 Virtualization/Sandbox Evasion	OS Credential Dumping	721 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	2 Process Injection	LSASS Memory	32 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_416.exe	39%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
LisectAVT_2403002A_416.exe	41%	Virustotal		Browse
LisectAVT_2403002A_416.exe	100%	Avira	HEUR/AGEN.1309090
LisectAVT_2403002A_416.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
auto.c3pool.org	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM	0%	Virustotal		Browse
https://xmrig.com/wizard	1%	Virustotal		Browse
https://xmrig.com/benchmark/%s	1%	Virustotal		Browse
https://xmrig.com/docs/algorithms	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auto.c3pool.org	5.75.158.61	true	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/benchmark/%s	LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM	~DFEB4C8172AFF7D925.TMP.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	LisectAVT_2403002A_416.exe, 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.75.158.61	auto.c3pool.org	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481047
Start date and time:	2024-07-25 03:28:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_416.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@3/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LisectAVT_2403002A_416.exe, PID 7540 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:29:48	API Interceptor	1x Sleep call for process: LisectAVT_2403002A_416.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
auto.c3pool.org	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	xB6r0wPRyb.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	K4gsPJGEi4.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	x00zm3KVwb.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	DoublePulsar, ETERNALBLUE, Xmrig	Browse	5.161.70.189
	UO2z4n1Sxx.exe	Get hash	malicious	Unknown	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	c3p.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	SecuriteInfo.com.FileRepMalware.25283.7828.exe	Get hash	malicious	BlackMoon	Browse	5.161.70.189

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	LisectAVT_2403002A_180.exe	Get hash	malicious	PolyRansom	Browse	144.76.195.253
	f84038a5c35557bb57839423dcab27287ac5ab490fca503f496df61da5e2bc99.exe	Get hash	malicious	Bdaejec, Vidar	Browse	5.161.21.185
	EF48AEBC0F1E77208BBCD5206C58678BB1181994507D1084E1D324DCA9D5D3B8.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	E6D881EA9A11D23E31737469C38C5C74DE54ADC680A662D877C6CAB46E3A34AB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	D9B72DA68DB9EB3D54BFD70C71F9A07EF222B7D9662DE35E74BA080B473DF4E2.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	https://r1s5ysq3czg5vii7sy3amdlrggobbqdod4rcuy0ul3qxlie.pages.dev/	Get hash	malicious	Unknown	Browse	195.201.57.90
	C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	https://kohojoiy.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_416.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	901120
Entropy (8bit):	7.918798349397588
Encrypted:	false
SSDEEP:	24576:2x5cyLzoy4z5LPrMcs5dmYOYFQn1s97QJv8wB:2zbL0zzJsKJS1QJv8wB
MD5:	6DE502CDFAD448559A118D514AAC5330
SHA1:	1BE69DECA1924590B2739956F1A5BAB203C73AB4
SHA-256:	1A254CD8A09B66710CBF518F4CE13E2C30C826883DC5E7EDCB00BF1CF7C89C7C
SHA-512:	2B2F86C32A0233477058888CD737937F989F1240A3B960B0D4543FB7AF8388EBBF491C341B28E874D386C119936384EAC0A12FBC657F09205C934E6AE5A65436
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.953851395208518
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_416.exe
File size:	8'455'189 bytes
MD5:	a638c42d9952eb79dda11c2895bb9e3d
SHA1:	dd079c7cb8e89203b995c1cd4a5908effe3ff663
SHA256:	a76a0fc6a1da492c092cc494e77b8ac0578741d0bbc32dbd865c7970389a67cd
SHA512:	b74ebf3994b96e6b895a957e032a3ba230b9053e7aad4bc58e303fdc03bf925c3e74aeac0f5e9538f11828caaf21c0254eeff3d5d84b005920f103812d885ec2
SSDEEP:	196608:zj+WCUnpqJ6p09Sz/qNybHf71LfMETK4oLsA91ZEd:zK15op0Aq+DuywW
TLSH:	A78633215004BDD2D8439372D81D21B14983EED6CB90262C2A6F77F7663BB3D432E76A
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........}\w..\w..\w....U.Qw....W..w....V.}w....c.Xw...../Uw...../.w...../zw....j.]w...../Nw....o.Kw..\w..6v...../hu...../zv...../_w.

File Icon


Icon Hash:	d08c8e8ea2868a54

Static PE Info

General

Entrypoint:	0x140f7c058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F2A76F [Thu Mar 14 07:29:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	62dc84212c31dc6fad4d7cd91eeaf282

Entrypoint Preview

Instruction
call 00007F5E64EFD8C7h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F5E64EFD726h
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F5E64EFD7A0h
xor eax, eax
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F5E64EFD848h
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F5E64EFD74Bh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F5E64EFD6CAh
mov eax, 00000001h
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5E64EFD749h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F5E64EFD728h
sub eax, ebx
mov ebx, 00000001h
jne 00007F5E64EFD770h
mov ecx, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x806152	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x808000	0x7c64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf57e24	0x2160c	.themida
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x154b000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x807038	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x390cb0	0x17e800	f9196c7a3c5e3972e5bd3a5ec909a4ca	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x392000	0x189ade	0x9b800	b43a514cee2bd48a30c17a121f49f4f2	False	0.9882843900723473	data	7.966005657903704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x51c000	0x2b0e40	0x4000	378910a41f28a360fa928fb93796bb19	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x7cd000	0x215f4	0x13600	226a4ca4576d14aeeba9d9b8830f550a	False	0.9360383064516129	data	7.5564434755852306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x7ef000	0xc56	0x600	8951c31e0aa85d5039aca6ac4b3ea0b3	False	1.0071614583333333	data	7.82486117848576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f0000	0x26d1	0x1000	b60f10f7518c1782ed15924495aa9a99	False	0.982177734375	data	7.863282666933349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f3000	0x1184	0xa00	7855674421ed69b1d80c2ce573813742	False	0.953125	data	7.760464066702744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f5000	0x7c5d	0x2c00	cde7e96871a34c8c2b4693e72f98990b	False	0.978515625	data	7.918442353501549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x7fd000	0x87c0	0x2c00	6dc35de255644724a843e2f4cea80c24	False	0.9123757102272727	data	7.771933692856027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x806000	0x1000	0x400	6cb4797928c34927778345fc13871892	False	0.333984375	data	3.0191147950274106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x807000	0x1000	0x200	7736d593dc1d638a984bfb118305285b	False	0.07421875	data	0.3504830562941642	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x808000	0x7e00	0x7e00	f409092efe7be741d423fab80ac9d207	False	0.34269593253968256	data	5.8433975701342105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x810000	0x76c000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0xf7c000	0x5cec00	0x5cec00	e1bdf37d5fc6bc13b12f5605567a7aec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x154b000	0x1000	0x10	8fc964d0db62dc93f46c8deb7a3423e9	False	1.5	GLS_BINARY_LSB_FIRST	2.7743974703476995	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x808260	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.21890243902439024
RT_ICON	0x8088d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.3400537634408602
RT_ICON	0x808bd0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.35450819672131145
RT_ICON	0x808dc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.46283783783783783
RT_ICON	0x808f00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5026652452025586
RT_ICON	0x809db8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.5798736462093863
RT_ICON	0x80a670	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.40264976958525345
RT_ICON	0x80ad48	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3273121387283237
RT_ICON	0x80b2c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.27344398340248965
RT_ICON	0x80d878	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.37875234521575984
RT_ICON	0x80e930	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.37868852459016394
RT_ICON	0x80f2c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4796099290780142
RT_GROUP_ICON	0x80f740	0xae	data	English	United States	0.5977011494252874
RT_VERSION	0x80f800	0x2d0	data			0.46944444444444444
RT_MANIFEST	0x80fae0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
WS2_32.dll	ntohs
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
CRYPT32.dll	CertOpenStore
USER32.dll	GetProcessWindowStation
SHELL32.dll	SHGetSpecialFolderPathA
ole32.dll	CoInitializeEx
ADVAPI32.dll	GetUserNameW
bcrypt.dll	BCryptGenRandom

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T03:30:19.335638+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49708	52.165.165.26	192.168.2.8
2024-07-25T03:29:38.575377+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49705	40.127.169.103	192.168.2.8
2024-07-25T03:29:16.239082+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49707	80	192.168.2.8	5.75.158.61

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:29:49.605178118 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:29:49.610193014 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:29:49.610294104 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:29:49.610431910 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:29:49.616574049 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:29:50.300076962 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:29:50.379657984 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:40.097836971 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:40.103208065 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:40.325542927 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:40.535979033 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:47.116950035 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:47.121881962 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:47.343938112 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:47.535991907 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:53.487531900 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:53.536026955 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:57.426475048 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:30:57.431353092 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:57.653729916 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:30:57.832917929 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:03.871665001 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:03.876698971 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:04.098953009 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:04.332946062 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:06.748959064 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:06.832886934 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:13.581811905 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:13.587002993 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:15.937833071 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:16.036051035 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:16.277319908 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:16.332948923 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:18.279221058 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:18.285461903 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:18.507637978 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:18.723557949 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:25.918209076 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:25.923216105 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:26.150499105 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:26.223575115 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:27.081975937 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:27.086904049 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:27.310003996 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:27.536221981 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:36.015459061 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:36.020469904 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:36.243120909 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:36.332933903 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:43.031829119 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:31:43.078555107 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:43.522588968 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:31:43.723570108 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:32:06.736859083 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:32:06.833106041 CEST	49707	80	192.168.2.8	5.75.158.61
Jul 25, 2024 03:33:06.777941942 CEST	80	49707	5.75.158.61	192.168.2.8
Jul 25, 2024 03:33:06.833096027 CEST	49707	80	192.168.2.8	5.75.158.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:29:49.593398094 CEST	62100	53	192.168.2.8	1.1.1.1
Jul 25, 2024 03:29:49.602705956 CEST	53	62100	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 03:29:49.593398094 CEST	192.168.2.8	1.1.1.1	0x588f	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 03:29:49.602705956 CEST	1.1.1.1	192.168.2.8	0x588f	No error (0)	auto.c3pool.org		5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:29:49.602705956 CEST	1.1.1.1	192.168.2.8	0x588f	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	5.75.158.61	80	7540	C:\Users\user\Desktop\LisectAVT_2403002A_416.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 03:29:49.610431910 CEST	565	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 66 78 69 52 50 59 31 67 71 32 6b 45 67 53 47 47 4c 31 75 51 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8BfxiRPY1gq2kEgSGGL1uQNuoYGQBXTmT1eFb8vBV41bEoCCXXAafaoRQYtRXfpkozKnATgH8zv696gYpEhKdn2q8hEpiKw","pass":"myyerp","agent":"XMRig/6.19.2 (Windows NT 10.0; Win64; x64) libuv/1.31.0 msvc/
Jul 25, 2024 03:29:50.300076962 CEST	413	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 33 36 33 32 32 33 38 33 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 31 30 31 Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"36322383","job":{"blob":"0101d8d486b506c3ad3b8484121aff9b0ed6b1ba4bf76e0fe45dd95f8f4c47a8a2fe38bffd42e800000000fe4e55ec6b1bbe18f1da6052d3178deaaac498be1d666e2d27b8b9776889011b01","algo":"rx/
Jul 25, 2024 03:30:40.097836971 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 33 36 33 32 32 33 38 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 36 33 32 Data Ascii: {"id":2,"jsonrpc":"2.0","method":"submit","params":{"id":"36322383","job_id":"36322384","nonce":"91ab0000","result":"b52d6565d753c63e5f8ec8c4655c17ea8997adcead781277d580853b743e0200"}}
Jul 25, 2024 03:30:40.325542927 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 32 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":2,"error":null,"result":{"status":"OK"}}
Jul 25, 2024 03:30:47.116950035 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 33 36 33 32 32 33 38 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 36 33 32 Data Ascii: {"id":3,"jsonrpc":"2.0","method":"submit","params":{"id":"36322383","job_id":"36322384","nonce":"08330000","result":"e1be701fc30309bf95823c4c65efdbfe25e9b48c19f38c1d363d0c3a4c870200"}}
Jul 25, 2024 03:30:47.343938112 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 33 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":3,"error":null,"result":{"status":"OK"}}
Jul 25, 2024 03:30:53.487531900 CEST	370	IN	Data Raw: 7b 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 31 30 31 63 62 64 35 38 36 62 35 30 36 62 64 66 30 32 39 38 35 36 36 66 62 39 63 30 35 31 39 31 33 30 31 37 32 38 33 37 31 32 37 62 64 62 66 Data Ascii: {"method":"job","params":{"blob":"0101cbd586b506bdf0298566fb9c0519130172837127bdbf1f9d66ca721a0b654565e29779b60c000000007502e1d847b0b1eb44b9289e05ba5e3cc0e83a42df01e80a69b722dae2a04f3101","algo":"rx/0","height":18006,"seed_hash":"761a858c346f1
Jul 25, 2024 03:30:57.426475048 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 33 36 33 32 32 33 38 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 36 33 37 Data Ascii: {"id":4,"jsonrpc":"2.0","method":"submit","params":{"id":"36322383","job_id":"36372967","nonce":"c5040000","result":"15008468f2b7396ed8ad7346be0206791dd4d15caa27dc7e9cc63dc9be0d0300"}}
Jul 25, 2024 03:30:57.653729916 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 34 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":4,"error":null,"result":{"status":"OK"}}
Jul 25, 2024 03:31:03.871665001 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 35 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 33 36 33 32 32 33 38 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 36 33 37 Data Ascii: {"id":5,"jsonrpc":"2.0","method":"submit","params":{"id":"36322383","job_id":"36372967","nonce":"bb0d0000","result":"891c9d7c193c18fd41bcef547964ce9ded11df7201422a4d19c5be9b36c70e00"}}

Target ID:	0
Start time:	21:29:19
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_416.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_416.exe"
Imagebase:	0x140000000
File size:	8'455'189 bytes
MD5 hash:	A638C42D9952EB79DDA11C2895BB9E3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.3847942578.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000003.1653229731.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	21:29:19
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:30:04
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_416.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFEB4C8172AFF7D925.TMP

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Packets

Windows Analysis Report
LisectAVT_2403002A_416.exe