Windows
Analysis Report
7Y18r(199).exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 7Y18r(199).exe (PID: 1616 cmdline:
"C:\Users\ user\Deskt op\7Y18r(1 99).exe" MD5: 9D4867440293A300AA47FDE46D955D40)
- cleanup
Timestamp: | 2024-07-26T02:46:36.149638+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49723 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-26T02:45:58.511295+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49714 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00405315 | |
Source: | Code function: | 0_2_00405CEB | |
Source: | Code function: | 0_2_0040263E |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00404ECC |
Source: | Code function: | 0_2_004030DE |
Source: | Code function: | 0_2_004046DD |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004041E0 |
Source: | Code function: | 0_2_00402020 |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Code function: | 0_2_00405D12 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_00405315 | |
Source: | Code function: | 0_2_00405CEB | |
Source: | Code function: | 0_2_0040263E |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-3739 | ||
Source: | API call chain: | graph_0-3743 |
Source: | Code function: | 0_2_00405D12 |
Source: | Code function: | 0_2_10001855 |
Source: | Code function: | 0_2_00405A12 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
76% | ReversingLabs | Win32.Downloader.InstallMonster | ||
79% | Virustotal | Browse | ||
100% | Avira | TR/Dldr.Agent.zeuoef | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
1% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse | ||
3% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
10% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
5% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
8% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
rep.pe-rar.biz | unknown | unknown | false |
| unknown |
rep.pe-work.biz | unknown | unknown | false |
| unknown |
rep.pe-sigh.biz | unknown | unknown | false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1482720 |
Start date and time: | 2024-07-26 02:44:49 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 7Y18r(199).exe |
Detection: | MAL |
Classification: | mal68.winEXE@1/6@3/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.423022883583039 |
Encrypted: | false |
SSDEEP: | 96:hrA2+5HGZFYJf9D8IjDflDCoMzncsGSmE:hE2+5mMJfJ8v1zFGSm |
MD5: | 55788069D3FA4E1DAF80F3339FA86FE2 |
SHA1: | D64E05C1879A92D5A8F9FF2FD2F1A53E1A53AE96 |
SHA-256: | D6E429A063ADF637F4D19D4E2EB094D9FF27382B21A1F6DCCF9284AFB5FF8C7F |
SHA-512: | D3B1EEC76E571B657DF444C59C48CAD73A58D1A10FF463CE9F3ACD07ACCE17D589C3396AD5BDB94DA585DA08D422D863FFE1DE11F64298329455F6D8EE320616 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14848 |
Entropy (8bit): | 6.054982561433298 |
Encrypted: | false |
SSDEEP: | 192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go |
MD5: | A5F8399A743AB7F9C88C645C35B1EBB5 |
SHA1: | 168F3C158913B0367BF79FA413357FBE97018191 |
SHA-256: | DACC88A12D3BA438FDAE3535DC7A5A1D389BCE13ADC993706424874A782E51C9 |
SHA-512: | 824E567F5211BF09C7912537C7836D761B0934207612808E9A191F980375C6A97383DBC6B4A7121C6B5F508CBFD7542A781D6B6B196CA24841F73892EEC5E977 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1086 |
Entropy (8bit): | 4.357912248575182 |
Encrypted: | false |
SSDEEP: | 12:pNU8l0KiapSTfreAyKATsQtmNsVp1UAizipykL0lx+p9qZqSaAta8gtE:pirzyFH5izsiI6Zquo8 |
MD5: | 786B7D187A6BAA67B339F0AD2B8EDFD2 |
SHA1: | A350EFD2659CCB594401A498DE31AE0B60863B03 |
SHA-256: | 842ACB94BC9448FCAA78ED80436475D4C9581A46BB63099F8303AF29452180A2 |
SHA-512: | 1FD8CB8E62939D53B835B4B11D97B40962E83CC5481F44057E4307FE6E4539324242785208DAD0A1D3BE229FB853C0DE62C1595AEDD467DB8ACC531B928F8853 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1086 |
Entropy (8bit): | 4.691980963047559 |
Encrypted: | false |
SSDEEP: | 24:dgqfNsSQSKdBjAKPGV1HJqXzJPAGOSaf:WKeddBjYVZyzJPAGO |
MD5: | BDB4885B084BB1CAFE9F025C2748B8A6 |
SHA1: | 0EF35CFC44BC77311F97D4AC439D27EB08F1FBB2 |
SHA-256: | 22FF9F7DAA35687958732A864A3506C157DDB7CBD7576C01A8B1658F2F55D17C |
SHA-512: | 97626CEAE1BA03E8CC15E4661CA0B520AA3C9319581E38C9FB17806DAD15C56A0FE5FC97BBD52B8E3D3623160B73C81B8DA4EFAE3BD698E72AECC974851CA0F9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9728 |
Entropy (8bit): | 5.054726426952 |
Encrypted: | false |
SSDEEP: | 96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420 |
MD5: | C10E04DD4AD4277D5ADC951BB331C777 |
SHA1: | B1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43 |
SHA-256: | E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A |
SHA-512: | 853A5564BF751D40484EA482444C6958457CB4A17FB973CF870F03F201B8B2643BE41BCCDE00F6B2026DC0C3D113E6481B0DC4C7B0F3AE7966D38C92C6B5862E |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\7Y18r(199).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1086 |
Entropy (8bit): | 3.600894799110786 |
Encrypted: | false |
SSDEEP: | 12:UD/HcIllF1lcqVBn9vSeAdywO9Y84TAXl++YcbsRN:ULHcYLvcq3n9v3AdywQY8208AsRN |
MD5: | AFC64153E21E093F64911BDA4EA628EF |
SHA1: | E5959ABCA67E3F83286FD39BE446AB9CD8B0B525 |
SHA-256: | 20CEE5342B112C82E8915AE04C78737B852883246C5FD823EEDBC30FD64B8F1E |
SHA-512: | 2C82E814F06938D54F16B76BCD2733B98EBF1CE4A91E357D42FEC5404A6F055A2D9F98EDF709383B160F07CACD885EDAFCFE446CF0C2FAC8246A1AB17CAC03FF |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.297875112602713 |
TrID: |
|
File name: | 7Y18r(199).exe |
File size: | 86'047 bytes |
MD5: | 9d4867440293a300aa47fde46d955d40 |
SHA1: | fb7ef415c72441bb661449799f36eb2602d84257 |
SHA256: | bffd5fbda2b41386e9022bd0e81e95fe597453a51793302b836d20b1885203f8 |
SHA512: | 5f55cd9c5ef5ec358b4d1fbdc04c7f7508d0802ba0c48d751747d3d280ddc4bc6deb09a457b1ddb39d7e141c370f82b32f55521a5d2cf5def9b125e6c71c99c1 |
SSDEEP: | 1536:CiZU91Rzv4f/+LHgmpoM4sXJx4Romu/TIaLI+LwjNOuHdozN0WingZF3qcRXaQ:CiezvrL9oMXJx45JG09ozNXinf8 |
TLSH: | 7F83D01271C4D837EA9917310D7BD7BACABBCF50016406A36B607F7F1E35242CE2A695 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....9......0..... |
Icon Hash: | 0771ccf8d84d2907 |
Entrypoint: | 0x4030de |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4B1AE3B5 [Sat Dec 5 22:50:29 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 7fa974366048f9c551ef45714595665e |
Instruction |
---|
sub esp, 00000180h |
push ebx |
push ebp |
push esi |
xor ebx, ebx |
push edi |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409160h |
xor esi, esi |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [00407030h] |
push 00008001h |
call dword ptr [004070B0h] |
push ebx |
call dword ptr [0040727Ch] |
push 00000008h |
mov dword ptr [007A2758h], eax |
call 00007F467913E1E6h |
mov dword ptr [007A26A4h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 00000160h |
push eax |
push ebx |
push 0079DC68h |
call dword ptr [00407158h] |
push 00409154h |
push 007A1EA0h |
call 00007F467913DE99h |
call dword ptr [004070ACh] |
mov edi, 007A8000h |
push eax |
push edi |
call 00007F467913DE87h |
push ebx |
call dword ptr [0040710Ch] |
cmp byte ptr [007A8000h], 00000022h |
mov dword ptr [007A26A0h], eax |
mov eax, edi |
jne 00007F467913B5FCh |
mov byte ptr [esp+14h], 00000022h |
mov eax, 007A8001h |
push dword ptr [esp+14h] |
push eax |
call 00007F467913D97Ah |
push eax |
call dword ptr [0040721Ch] |
mov dword ptr [esp+1Ch], eax |
jmp 00007F467913B655h |
cmp cl, 00000020h |
jne 00007F467913B5F8h |
inc eax |
cmp byte ptr [eax], 00000020h |
je 00007F467913B5ECh |
cmp byte ptr [eax], 00000022h |
mov byte ptr [eax+eax+00h], 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3b7000 | 0x40a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5a2c | 0x5c00 | 5525d73d28606ba0d0bf63419bc6f2d9 | False | 0.6725543478260869 | data | 6.458758913332546 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1190 | 0x1200 | a2c7710fa66fcbb43c7ef0ab9eea5e9a | False | 0.4453125 | data | 5.179763757809345 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x399798 | 0x400 | 76d3c43f58289bceef3ffe4ae66dc848 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x3a3000 | 0x14000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3b7000 | 0x40a0 | 0x4200 | 9c4bb318922e117f5c9757855c38ae1f | False | 0.623342803030303 | data | 5.963555167049198 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x3b72b0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.7213883677298312 |
RT_ICON | 0x3b8358 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.6751066098081023 |
RT_ICON | 0x3b9200 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.7851985559566786 |
RT_ICON | 0x3b9aa8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.6560693641618497 |
RT_ICON | 0x3ba010 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.8031914893617021 |
RT_ICON | 0x3ba478 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.3118279569892473 |
RT_ICON | 0x3ba760 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.36824324324324326 |
RT_DIALOG | 0x3ba888 | 0x202 | data | English | United States | 0.4085603112840467 |
RT_DIALOG | 0x3baa90 | 0xf8 | data | English | United States | 0.6290322580645161 |
RT_DIALOG | 0x3bab88 | 0xee | data | English | United States | 0.6260504201680672 |
RT_GROUP_ICON | 0x3bac78 | 0x68 | data | English | United States | 0.6634615384615384 |
RT_MANIFEST | 0x3bace0 | 0x3be | XML 1.0 document, ASCII text, with very long lines (958), with no line terminators | English | United States | 0.5198329853862212 |
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
2024-07-26T02:46:36.149638+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49723 | 40.68.123.157 | 192.168.2.6 |
2024-07-26T02:45:58.511295+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49714 | 40.127.169.103 | 192.168.2.6 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 26, 2024 02:45:39.395611048 CEST | 60191 | 53 | 192.168.2.6 | 1.1.1.1 |
Jul 26, 2024 02:45:39.404827118 CEST | 53 | 60191 | 1.1.1.1 | 192.168.2.6 |
Jul 26, 2024 02:45:39.426804066 CEST | 53346 | 53 | 192.168.2.6 | 1.1.1.1 |
Jul 26, 2024 02:45:39.436580896 CEST | 53 | 53346 | 1.1.1.1 | 192.168.2.6 |
Jul 26, 2024 02:45:51.439908981 CEST | 60334 | 53 | 192.168.2.6 | 1.1.1.1 |
Jul 26, 2024 02:45:51.449980974 CEST | 53 | 60334 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 26, 2024 02:45:39.395611048 CEST | 192.168.2.6 | 1.1.1.1 | 0xe239 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 26, 2024 02:45:39.426804066 CEST | 192.168.2.6 | 1.1.1.1 | 0x31d7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 26, 2024 02:45:51.439908981 CEST | 192.168.2.6 | 1.1.1.1 | 0xe2c5 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 26, 2024 02:45:39.404827118 CEST | 1.1.1.1 | 192.168.2.6 | 0xe239 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Jul 26, 2024 02:45:39.436580896 CEST | 1.1.1.1 | 192.168.2.6 | 0x31d7 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Jul 26, 2024 02:45:51.449980974 CEST | 1.1.1.1 | 192.168.2.6 | 0xe2c5 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 20:45:38 |
Start date: | 25/07/2024 |
Path: | C:\Users\user\Desktop\7Y18r(199).exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 86'047 bytes |
MD5 hash: | 9D4867440293A300AA47FDE46D955D40 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 17.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.9% |
Total number of Nodes: | 1477 |
Total number of Limit Nodes: | 35 |
Graph
Function 004030DE Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 270filestringcomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001855 Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405315 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004038CF Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403539 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 216stringregistrylibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001759 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171fileCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001C59 Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B06 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004052B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E5A10E0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004056C7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004056A8 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403061 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DA2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DD7 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403093 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404ECC Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004046DD Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041E0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405A12 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403EEA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100010EF Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 112stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040573E Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100014CA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E5A1180 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 97memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403E09 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040465D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040457B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004054E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001329 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100013FB Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404CDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004055C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040552A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040563C Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|