Edit tour

Windows Analysis Report
2PSj0qX4W6.exe

Overview

General Information

Sample name:	2PSj0qX4W6.exe renamed because original name is a hash value
Original sample name:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3.exe
Analysis ID:	1508524
MD5:	c92c541048de8be340a990db10e7cbab
SHA1:	50f7ef4239b9fd0358b10a8b3106871e2de1fd29
SHA256:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3
Tags:	116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2PSj0qX4W6.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\2PSj0qX4W6.exe" MD5: C92C541048DE8BE340A990DB10E7CBAB)

WerFault.exe (PID: 2504 cmdline: C:\Windows\system32\WerFault.exe -u -p 6640 -s 1108 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1d171:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x1d1dd:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x911:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x97d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-10T10:55:04.118942+0200	2028765	3	Unknown Traffic	192.168.2.4	49730	116.198.231.169	63222	TCP
2024-09-10T10:55:09.022682+0200	2028765	3	Unknown Traffic	192.168.2.4	49733	116.198.231.169	63222	TCP
2024-09-10T10:55:15.914160+0200	2028765	3	Unknown Traffic	192.168.2.4	49736	116.198.231.169	63222	TCP
2024-09-10T10:55:20.852983+0200	2028765	3	Unknown Traffic	192.168.2.4	49739	116.198.231.169	63222	TCP
2024-09-10T10:55:25.054384+0200	2028765	3	Unknown Traffic	192.168.2.4	49748	116.198.231.169	63222	TCP
2024-09-10T10:55:29.321752+0200	2028765	3	Unknown Traffic	192.168.2.4	49751	116.198.231.169	63222	TCP
2024-09-10T10:55:33.512668+0200	2028765	3	Unknown Traffic	192.168.2.4	49754	116.198.231.169	63222	TCP
2024-09-10T10:55:37.898702+0200	2028765	3	Unknown Traffic	192.168.2.4	49757	116.198.231.169	63222	TCP
2024-09-10T10:55:42.111525+0200	2028765	3	Unknown Traffic	192.168.2.4	49760	116.198.231.169	63222	TCP
2024-09-10T10:55:46.314350+0200	2028765	3	Unknown Traffic	192.168.2.4	49763	116.198.231.169	63222	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2PSj0qX4W6.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Multi AV Scanner detection for submitted file

Source: 2PSj0qX4W6.exe	ReversingLabs: Detection: 50%
Source: 2PSj0qX4W6.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Source: 2PSj0qX4W6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb source: 2PSj0qX4W6.exe
Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb(( source: 2PSj0qX4W6.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://116.198.231.169:63222/jquery-3.3.2.slim.min.js
Source: Malware configuration extractor	URLs: http://116.198.231.169/jquery-3.3.2.slim.min.js

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 116.198.231.169:63222

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49733 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 116.198.231.169:63222

Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169

Source: 2PSj0qX4W6.exe, 2PSj0qX4W6.exe, 00000000.00000003.2160064724.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2055318318.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2139474328.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2076583946.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F973602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/
Source: 2PSj0qX4W6.exe, 00000000.00000003.2033252187.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2011457982.000001F973602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/Es
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/MW
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/Z
Source: 2PSj0qX4W6.exe, 00000000.00000003.2160064724.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2139474328.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F973602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/ru
Source: 2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/wx
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169/
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/4h
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/SkX
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/dllC
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js9u
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRe
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsje

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF628B417B0

0_2_00007FF628B417B0

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6640 -s 1108

Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal96.troj.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a9482d5d-3bb9-458e-a6e7-6eabe5e41af8

Jump to behavior

Source: 2PSj0qX4W6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2PSj0qX4W6.exe	ReversingLabs: Detection: 50%
Source: 2PSj0qX4W6.exe	Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\2PSj0qX4W6.exe "C:\Users\user\Desktop\2PSj0qX4W6.exe"
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6640 -s 1108

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 2PSj0qX4W6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2PSj0qX4W6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2PSj0qX4W6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb source: 2PSj0qX4W6.exe
Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb(( source: 2PSj0qX4W6.exe

Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_0000009C38F0EA2B push eax; ret		0_2_0000009C38F0EC87
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_0000009C38F0EC09 push eax; ret		0_2_0000009C38F0EC87

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF628B439CC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF628B439CC

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF628B42F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF628B42F04
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF628B439CC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF628B439CC
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF628B43B74 SetUnhandledExceptionFilter,	0_2_00007FF628B43B74

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF628B43BE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF628B43BE4

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2PSj0qX4W6.exe	50%	ReversingLabs	Win64.Backdoor.MeterpreterReverseShell
2PSj0qX4W6.exe	44%	Virustotal		Browse
2PSj0qX4W6.exe	100%	Avira	TR/AD.MeterpreterSC.jtwai

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://116.198.231.169:63222/4h	0%	Avira URL Cloud	safe
http://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
http://code.jquery.com/	0%	Avira URL Cloud	safe
http://code.jquery.com/Es	0%	Avira URL Cloud	safe
http://code.jquery.com/MW	0%	Avira URL Cloud	safe
http://code.jquery.com/ru	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js9u	0%	Avira URL Cloud	safe
http://code.jquery.com/wx	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsje	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/	0%	Avira URL Cloud	safe
http://code.jquery.com/Z	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRe	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/dllC	0%	Avira URL Cloud	safe
https://116.198.231.169/	0%	Avira URL Cloud	safe
http://116.198.231.169/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/SkX	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://116.198.231.169:63222/jquery-3.3.2.slim.min.js	true	Avira URL Cloud: safe	unknown
http://116.198.231.169/jquery-3.3.2.slim.min.js	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://116.198.231.169:63222/4h	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/MW	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/	2PSj0qX4W6.exe, 2PSj0qX4W6.exe, 00000000.00000003.2160064724.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2055318318.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2139474328.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2076583946.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F973602000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://code.jquery.com/Es	2PSj0qX4W6.exe, 00000000.00000003.2033252187.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2011457982.000001F973602000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/ru	2PSj0qX4W6.exe, 00000000.00000003.2160064724.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2139474328.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F973602000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js9u	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/wx	2PSj0qX4W6.exe, 00000000.00000003.2119298442.000001F973602000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2097445402.000001F973602000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsje	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/Z	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRe	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/dllC	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169/	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/SkX	2PSj0qX4W6.exe, 00000000.00000002.2278159144.000001F9735CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.198.231.169	unknown	China		137699	CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508524
Start date and time:	2024-09-10 10:54:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2PSj0qX4W6.exe renamed because original name is a hash value
Original Sample Name:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 3 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
04:55:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
116.198.231.169	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
116.198.231.169	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	gOEF4WOJ3c.elf	Get hash	malicious	Unknown	Browse	116.198.238.210

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2PSj0qX4W6.exe_f242d2db8512e499419d5b50699546c36555d67_204a2a81_1fa36391-52e8-4ce3-871e-969bb9376f15\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9245646449165812
Encrypted:	false
SSDEEP:	96:ekFdPsShq1ooh7RH6NbQXIDcQWc6zcEZcw37n+HbHg/JgWpt8sKa9bATFUp2QMRI:3HPif0I3DEj84TzuiFrCZ24lO8Q
MD5:	416A3D8E48E5B5770090C18CB54FDF51
SHA1:	0B4D1843FB793E94A1D71E52FF72892F6EAA6F23
SHA-256:	E7DF402DBB327D31E66655F1D9076E740F17272F26FB98182DEAFAB49D2FC6FF
SHA-512:	A12F9EDFAD6E036CC401D0B9657034594EC7072E99CD112D7336E90892C90EACABA8385D4E8D4E166466F1CF061031FDBAD1FEA148F4626B40FC9F317A159498
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.1.4.7.7.2.9.0.2.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.1.4.8.2.4.4.6.4.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.a.3.6.3.9.1.-.5.2.e.8.-.4.c.e.3.-.8.7.1.e.-.9.6.9.b.b.9.3.7.6.f.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.a.1.4.d.f.b.-.e.4.5.c.-.4.e.e.7.-.a.9.b.5.-.5.f.0.c.6.c.5.a.8.2.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.2.P.S.j.0.q.X.4.W.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.4.-.9.9.4.f.-.8.8.1.e.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.a.1.4.5.0.4.e.b.2.0.c.3.f.1.c.a.8.1.d.a.b.8.b.1.a.2.5.3.e.c.7.0.0.0.0.f.f.f.f.!.0.0.0.0.5.0.f.7.e.f.4.2.3.9.b.9.f.d.0.3.5.8.b.1.0.a.8.b.3.1.0.6.8.7.1.e.2.d.e.1.f.d.2.9.!.2.P.S.j.0.q.X.4.W.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.1.:.1.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 10 08:55:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	155260
Entropy (8bit):	1.3902254874213669
Encrypted:	false
SSDEEP:	192:wZtOtp/Wk4ttD7OYobH2zp4Xml50H5lzE/uecJeHPfXlu:3tpH4tBCNbHfXml51rcJmHXlu
MD5:	7F487C6B840E02EB449B744A43C00478
SHA1:	E60A4785630C3E9AB99B64A5ED0CCFC28B201A46
SHA-256:	C37E1AF52EBEF0109F43DBDC2D0A8FAC33E2829620BB866BD66833DC89E7FA47
SHA-512:	B8D47463FEA40CD9402CA4DD2A66F159A8E107067D490EB91ECCBF3EC5F894EC4CE0B1300A71164DB4A731A09CE70C062C4737D000733E0A01CD0E775927886E
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... ..........f........................................,X..........T.......8...........T...........@/..</......................l...............................................................................eJ..............Lw......................T...........d..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE53.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8904
Entropy (8bit):	3.705376798221505
Encrypted:	false
SSDEEP:	192:R6l7wVeJa4sC6Y96g3MgmfwvpDa89bVhMfqHm:R6lXJlZ6Ygg3MgmfwpV6fT
MD5:	E996CC364F1F082EE541D2B2ED587289
SHA1:	98E69D64BC77CBF30AC70F1044EB98651EF173BB
SHA-256:	23547EEBBDF49DC318C6C3B4A545698D338543DC783E277506F3294D2ECF0FF0
SHA-512:	D80DDD9619CA6A74D1ED462142289CC85B4BE7923316E7E36F8A6E4B89438D468D9A5684A633C77E79BD00EAC4BCA74C13752E1EF7686ED47153E50B23A2B701
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE83.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.484327472962603
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoJg771I9XgVVWpW8VYCYm8M4J8pO1FCuyq8vYpO+1dmeywVw9d:uIjfuI7Ed7VuJUeWYz19XO9d
MD5:	9FE9CD7357210EA4035C7F1F5F6437D2
SHA1:	8C9E535AD02DB0B37E2B92FE19C95A1940E6EC96
SHA-256:	324F5292471F6B0836DD326F6DA7EE0366E5FCE18E9A7B3DD0B59F94558CCB2D
SHA-512:	517870D7CE5FF49A2FDD7B19261E4341D53DDFBAA2EAD09A93055820FC9BCD4A32E35A27095AC3B8AF10859B4E7C7744D98914864BCAC640410A3AC38D2E35F9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493918" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465588284885263
Encrypted:	false
SSDEEP:	6144:pIXfpi67eLPU9skLmb0b4BWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSbt:aXD94BWlLZMM6YFHc+t
MD5:	44AF3AD31457D05AE9DDC6D1B7DE83BF
SHA1:	6EF7CE9623A032E2243ABFDE29DECFE4438FD73D
SHA-256:	5C09256A9E83F4771622FD25F0E645B2D6FC62E8201D4E02B03EB44E9B47FA2A
SHA-512:	3EA33647C42A2B5ADD46AFD3EF5999DA39651A8BCE789BFB46B26AA9F0EE5C1EF96D18554B54291A58750B9C4F9CD0EBCA7E9C836D32D7B85B48964675E37EBE
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:.:_................................................................................................................................................................................................................................................................................................................................................w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.837840610486668
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2PSj0qX4W6.exe
File size:	39'424 bytes
MD5:	c92c541048de8be340a990db10e7cbab
SHA1:	50f7ef4239b9fd0358b10a8b3106871e2de1fd29
SHA256:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3
SHA512:	fa1b8808c7ea8ff81ef4b30095b896098e29c8c281f9bcfd0570469da9bea3b1d9a20aeb75f79dcf2ae4d933442b1d1094bc16156dbd98dadc0f5ff115f8dccb
SSDEEP:	768:+mOM8UGqSc62S1MdS4o8BWPKbKqB5SW2pegUxHTo:+hM2qSO9S4oqijdM1V
TLSH:	8E039D5A7B40C9EEDC6A4339C113A91AF3B378211752BADF57D542620E623E1BC7B092
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-$..iE.^iE.^iE.^`=p^eE.^..._jE.^..._cE.^..._rE.^..._oE.^"=._lE.^iE.^9E.^z.._jE.^z..^hE.^z.._hE.^RichiE.^........PE..d.....uf...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140003688
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667590C5 [Fri Jun 21 14:40:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6b40e87f57848366f8223dc72adc8105

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FEC20F02B88h
dec eax
add esp, 28h
jmp 00007FEC20F024A7h
int3
int3
jmp 00007FEC20F02DBEh
int3
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00001CD0h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [00001CB5h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FEC20F02607h
dec eax
lea edx, dword ptr [00006597h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FEC20F02CD4h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007FEC20F0268Dh
dec eax
or dword ptr [00007959h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00000041h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d5c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xc000	0x2dc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0x74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9260	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9120	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30b4	0x3200	e9963f482a3d6e7f4e75fe743c2953bf	False	0.585234375	data	6.257536886152972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x5914	0x5a00	0d9164bef9ec87f2b9facc8891c7342f	False	0.6498263888888889	data	7.192253966884054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x7a0	0x200	e58308d815ae9f347d76df3fe7a185db	False	0.251953125	DOS executable (block device driver)	2.229094667815011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xc000	0x2dc	0x400	99db291c0f94381619f68f9a01ef2c14	False	0.3837890625	data	3.0805904685737957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xd000	0x1e0	0x200	44e3d39532c9319314b3e7669556d25a	False	0.529296875	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0x74	0x200	f4ff1a136d814031024657417835019e	False	0.23046875	data	1.3772139608147294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xd060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, LoadLibraryA, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, IsDebuggerPresent, VirtualProtect
MSVCP140.dll	?good@ios_base@std@@QEBA_NXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
CRYPT32.dll	CertEnumSystemStore
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memset, __current_exception_context, __current_exception, _CxxThrowException, __C_specific_handler, memcpy, __std_exception_copy, __std_exception_destroy, memchr, __std_terminate
api-ms-win-crt-string-l1-1-0.dll	isalnum
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, __p___argv, __p___argc, terminate, _exit, exit, _initterm_e, _register_thread_local_exe_atexit_callback, _initterm, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _get_initial_narrow_environment, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-heap-l1-1-0.dll	free, _callnewh, _set_new_mode, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-10T10:55:04.118942+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49730	116.198.231.169	63222	TCP
2024-09-10T10:55:09.022682+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49733	116.198.231.169	63222	TCP
2024-09-10T10:55:15.914160+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49736	116.198.231.169	63222	TCP
2024-09-10T10:55:20.852983+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49739	116.198.231.169	63222	TCP
2024-09-10T10:55:25.054384+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49748	116.198.231.169	63222	TCP
2024-09-10T10:55:29.321752+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49751	116.198.231.169	63222	TCP
2024-09-10T10:55:33.512668+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49754	116.198.231.169	63222	TCP
2024-09-10T10:55:37.898702+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49757	116.198.231.169	63222	TCP
2024-09-10T10:55:42.111525+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49760	116.198.231.169	63222	TCP
2024-09-10T10:55:46.314350+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49763	116.198.231.169	63222	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 10:55:01.710592031 CEST	49730	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:01.715487957 CEST	63222	49730	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:01.715586901 CEST	49730	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:01.762476921 CEST	49730	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:01.767303944 CEST	63222	49730	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:04.118747950 CEST	63222	49730	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:04.118942022 CEST	49730	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:04.128942966 CEST	49730	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:04.129878998 CEST	49731	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:04.133819103 CEST	63222	49730	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:04.134744883 CEST	63222	49731	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:04.134829998 CEST	49731	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:04.135397911 CEST	49731	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:04.140238047 CEST	63222	49731	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.692790031 CEST	63222	49731	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.692981005 CEST	49731	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.693032026 CEST	49731	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.693772078 CEST	49732	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.697916031 CEST	63222	49731	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.698647022 CEST	63222	49732	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.698743105 CEST	49732	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.698915958 CEST	49732	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.700776100 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.704348087 CEST	63222	49732	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.704432011 CEST	49732	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.705852985 CEST	63222	49733	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:06.705961943 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.706494093 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:06.711441040 CEST	63222	49733	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:09.022600889 CEST	63222	49733	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:09.022681952 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.022789001 CEST	63222	49733	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:09.022813082 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.022847891 CEST	49733	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.023612976 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.027592897 CEST	63222	49733	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:09.028485060 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:09.028573036 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.028870106 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:09.033672094 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.794656992 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.794774055 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.794945002 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.795623064 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.795687914 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.795828104 CEST	49735	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.796179056 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.796237946 CEST	49734	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.800618887 CEST	63222	49734	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.801759005 CEST	63222	49735	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.801852942 CEST	49735	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.802002907 CEST	49735	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.803451061 CEST	49736	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.808653116 CEST	63222	49735	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.808732986 CEST	49735	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.809005022 CEST	63222	49736	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:13.809425116 CEST	49736	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.809425116 CEST	49736	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:13.814338923 CEST	63222	49736	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:15.912946939 CEST	63222	49736	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:15.914160013 CEST	49736	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:15.914160013 CEST	49736	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:15.914412975 CEST	49737	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:15.919066906 CEST	63222	49736	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:15.919189930 CEST	63222	49737	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:15.919282913 CEST	49737	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:15.919603109 CEST	49737	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:15.924379110 CEST	63222	49737	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.143480062 CEST	63222	49737	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.143703938 CEST	49737	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.143703938 CEST	49737	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.144604921 CEST	49738	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.148813009 CEST	63222	49737	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.150221109 CEST	63222	49738	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.152355909 CEST	49738	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.152355909 CEST	49738	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.157476902 CEST	63222	49738	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.157577991 CEST	49738	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.158157110 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.162992001 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:18.167414904 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.167414904 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:18.172281027 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.852901936 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.852982998 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.853085995 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.853135109 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.853257895 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.853602886 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.853643894 CEST	49739	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.858295918 CEST	63222	49739	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.859674931 CEST	49743	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.864428043 CEST	63222	49743	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:20.864511967 CEST	49743	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.864881992 CEST	49743	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:20.869682074 CEST	63222	49743	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.954804897 CEST	63222	49743	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.954862118 CEST	49743	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.954989910 CEST	49743	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.957165003 CEST	49747	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.959714890 CEST	63222	49743	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.961966991 CEST	63222	49747	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.962138891 CEST	49747	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.962275982 CEST	49747	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.967021942 CEST	49748	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.967417955 CEST	63222	49747	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.967858076 CEST	63222	49747	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.967895985 CEST	49747	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.971818924 CEST	63222	49748	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:22.974215984 CEST	49748	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.974545002 CEST	49748	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:22.979347944 CEST	63222	49748	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:25.051626921 CEST	63222	49748	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:25.054383993 CEST	49748	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:25.054419041 CEST	49748	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:25.059464931 CEST	63222	49748	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:25.062802076 CEST	49749	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:25.067953110 CEST	63222	49749	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:25.069499969 CEST	49749	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:25.069920063 CEST	49749	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:25.078075886 CEST	63222	49749	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.102555037 CEST	63222	49749	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.102858067 CEST	49749	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.103004932 CEST	49749	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.107841015 CEST	63222	49749	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.108587980 CEST	49750	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.113470078 CEST	63222	49750	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.113588095 CEST	49750	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.113807917 CEST	49750	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.115112066 CEST	49751	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.119009018 CEST	63222	49750	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.119095087 CEST	49750	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.119920969 CEST	63222	49751	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:27.120029926 CEST	49751	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.120414972 CEST	49751	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:27.125164986 CEST	63222	49751	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:29.321527958 CEST	63222	49751	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:29.321752071 CEST	49751	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:29.322035074 CEST	49751	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:29.326128006 CEST	49752	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:29.326870918 CEST	63222	49751	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:29.330899954 CEST	63222	49752	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:29.330980062 CEST	49752	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:29.331295013 CEST	49752	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:29.336163044 CEST	63222	49752	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.411154985 CEST	63222	49752	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.413330078 CEST	49752	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.414077044 CEST	49752	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.416646957 CEST	49753	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.418931007 CEST	63222	49752	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.421804905 CEST	63222	49753	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.421914101 CEST	49753	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.422113895 CEST	49753	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.425889015 CEST	49754	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.427186966 CEST	63222	49753	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.427258968 CEST	49753	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.430936098 CEST	63222	49754	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:31.431051970 CEST	49754	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.431583881 CEST	49754	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:31.436429977 CEST	63222	49754	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:33.512569904 CEST	63222	49754	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:33.512667894 CEST	49754	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:33.512794018 CEST	49754	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:33.515537977 CEST	49755	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:33.517604113 CEST	63222	49754	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:33.520396948 CEST	63222	49755	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:33.520515919 CEST	49755	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:33.520934105 CEST	49755	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:33.525765896 CEST	63222	49755	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.691947937 CEST	63222	49755	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.692148924 CEST	49755	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.692209959 CEST	49755	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.694906950 CEST	49756	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.697313070 CEST	63222	49755	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.699955940 CEST	63222	49756	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.700078011 CEST	49756	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.700248003 CEST	49756	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.701647043 CEST	49757	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.705513954 CEST	63222	49756	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.705612898 CEST	49756	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.706521988 CEST	63222	49757	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:35.706584930 CEST	49757	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.706916094 CEST	49757	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:35.711663008 CEST	63222	49757	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:37.898607969 CEST	63222	49757	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:37.898701906 CEST	49757	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:37.898828983 CEST	49757	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:37.902903080 CEST	49758	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:37.906430960 CEST	63222	49757	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:37.908746004 CEST	63222	49758	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:37.908847094 CEST	49758	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:37.909116030 CEST	49758	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:37.914352894 CEST	63222	49758	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.024862051 CEST	63222	49758	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.025043964 CEST	49758	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.025171995 CEST	49758	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.029555082 CEST	49759	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.031424046 CEST	63222	49758	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.035991907 CEST	63222	49759	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.036066055 CEST	49759	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.036212921 CEST	49759	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.037763119 CEST	49760	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.042732954 CEST	63222	49759	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.042783022 CEST	49759	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.044060946 CEST	63222	49760	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:40.044128895 CEST	49760	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.044437885 CEST	49760	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:40.050646067 CEST	63222	49760	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:42.111341953 CEST	63222	49760	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:42.111525059 CEST	49760	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:42.111565113 CEST	49760	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:42.115299940 CEST	49761	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:42.116497993 CEST	63222	49760	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:42.120259047 CEST	63222	49761	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:42.120341063 CEST	49761	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:42.120644093 CEST	49761	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:42.125552893 CEST	63222	49761	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.296638012 CEST	63222	49761	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.296745062 CEST	49761	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.296875000 CEST	49761	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.300544977 CEST	49762	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.301759958 CEST	63222	49761	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.305515051 CEST	63222	49762	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.305593014 CEST	49762	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.305680990 CEST	49762	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.308291912 CEST	49763	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.311844110 CEST	63222	49762	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.311916113 CEST	49762	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.313210011 CEST	63222	49763	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:44.313291073 CEST	49763	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.313550949 CEST	49763	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:44.318389893 CEST	63222	49763	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:46.314235926 CEST	63222	49763	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:46.314349890 CEST	49763	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:46.314475060 CEST	49763	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:46.319300890 CEST	49764	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:46.320549011 CEST	63222	49763	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:46.325150013 CEST	63222	49764	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:46.325263023 CEST	49764	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:46.325956106 CEST	49764	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:46.331918001 CEST	63222	49764	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:48.373234987 CEST	63222	49764	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:48.373445988 CEST	49764	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:48.373493910 CEST	49764	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:48.376390934 CEST	49765	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:48.381674051 CEST	63222	49764	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:48.382292032 CEST	63222	49765	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:48.382371902 CEST	49765	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:48.382522106 CEST	49765	63222	192.168.2.4	116.198.231.169
Sep 10, 2024 10:55:48.387830019 CEST	63222	49765	116.198.231.169	192.168.2.4
Sep 10, 2024 10:55:48.387892962 CEST	49765	63222	192.168.2.4	116.198.231.169

Target ID:	0
Start time:	04:55:00
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\2PSj0qX4W6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2PSj0qX4W6.exe"
Imagebase:	0x7ff628b40000
File size:	39'424 bytes
MD5 hash:	C92C541048DE8BE340A990DB10E7CBAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:55:47
Start date:	10/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6640 -s 1108
Imagebase:	0x7ff6c2860000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	30%
Total number of Nodes:	253
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF628B42890 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 233
librarymemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF628B428D8
memcpy.VCRUNTIME140 ref: 00007FF628B42971
memcpy.VCRUNTIME140 ref: 00007FF628B42A12
memset.VCRUNTIME140 ref: 00007FF628B42A80
memset.VCRUNTIME140 ref: 00007FF628B42AD2
LoadLibraryA.KERNEL32 ref: 00007FF628B42B80
VirtualProtect.KERNELBASE ref: 00007FF628B42B9A
CertEnumSystemStore.CRYPT32 ref: 00007FF628B42BAE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B42BE7

Part of subcall function 00007FF628B431A4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF628B4100E), ref: 00007FF628B431BE

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF628B42C27

Strings

kernel32.dll, xrefs: 00007FF628B42B79
fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G, xrefs: 00007FF628B428CB

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: memcpy$memset$CertConcurrency::cancel_current_taskEnumLibraryLoadProtectStoreSystemVirtual_invalid_parameter_noinfo_noreturnmalloc
String ID: fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G$kernel32.dll
API String ID: 150564791-1552992655
Opcode ID: ffa8f0ba843f4013f44525dfc9840ffd1d381b7730647cc0e71a19c35832ef2a
Instruction ID: 6a227d6ccf3f123da0e50f0e56d1fc82c8e9a0bfc434b3bbfc264d5fdcfff427
Opcode Fuzzy Hash: ffa8f0ba843f4013f44525dfc9840ffd1d381b7730647cc0e71a19c35832ef2a
Instruction Fuzzy Hash: CCA1D522E18A8685EE20CB34DC513BD6361FB867A5F44023BDA9D836D6DF3CE149D709

Function 00007FF628B4350C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF628B43535
__scrt_release_startup_lock.LIBCMT ref: 00007FF628B435A3
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B435F1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B435F6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B435FE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B43606
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B43628
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF628B43682

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: df102f85938d3cac35a7069fa22ae6c53ea1cb25a1aa4727b64a6a950befc1c6
Instruction ID: ec96a6c94ec571bc10d3196c56eb95cff6652ada3d1f886a0007805566bcc829
Opcode Fuzzy Hash: df102f85938d3cac35a7069fa22ae6c53ea1cb25a1aa4727b64a6a950befc1c6
Instruction Fuzzy Hash: FC31F911A0C50342EE14AB35BD73BBD6691AFCA786F5C403FDA4E872D3DE2DE405824A

Function 0000009C38F0EA2B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000009C38F0EA46

Strings

U.;, xrefs: 0000009C38F0EA41

Memory Dump Source

Source File: 00000000.00000002.2277720966.0000009C38F0E000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000009C38F0E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c38f0e000_2PSj0qX4W6.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction ID: 719451cd09982e1b2262eb2799ab56f9776b05cb32f08330fa00311705b80971
Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction Fuzzy Hash: EE114CA034890D1BFA18519D7C56B7621CAD7DC759F24C12FB55EC33D6DC648C82815A

Non-executed Functions

Function 00007FF628B417B0 Relevance: 26.6, APIs: 17, Instructions: 1087
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF628B42807), ref: 00007FF628B41811
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF628B42807), ref: 00007FF628B41880

Part of subcall function 00007FF628B431A4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF628B4100E), ref: 00007FF628B431BE

memcpy.VCRUNTIME140(00000000,?,?,00007FF628B42807), ref: 00007FF628B418A3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF628B418C8
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF628B42807), ref: 00007FF628B419B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF628B42807), ref: 00007FF628B419EE
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF628B42807), ref: 00007FF628B419F8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF628B41A2B

Part of subcall function 00007FF628B431A4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF628B431D4
Part of subcall function 00007FF628B431A4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF628B431DA

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemcpy$_invalid_parameter_noinfo_noreturn$malloc
String ID:
API String ID: 1057630676-0
Opcode ID: 464bffc901c1c071010548c694ba76aea8e22709931f1539bc19d3fd378ea19e
Instruction ID: 6aa0b68bae8282b2979f786b23b2fc0db4a41d3b23c12f567182ebd3836ca9e7
Opcode Fuzzy Hash: 464bffc901c1c071010548c694ba76aea8e22709931f1539bc19d3fd378ea19e
Instruction Fuzzy Hash: 05A22772A182D14AEB258F399C512FE7BA1F78678AF44413ADB9D97785CE3CE601C700

Function 00007FF628B439CC Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF628B439E8
memset.VCRUNTIME140 ref: 00007FF628B43A0C
RtlCaptureContext.KERNEL32 ref: 00007FF628B43A15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF628B43A2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF628B43A70
memset.VCRUNTIME140 ref: 00007FF628B43AA3
IsDebuggerPresent.KERNEL32 ref: 00007FF628B43AC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF628B43AE1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF628B43AEC

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f2aa790f9085783cc2a9030d909d546b5d07370b2f8c6efc4ec764b99a8b9c54
Instruction ID: 0bd409626d87da3cbedb90302656c3637975ef0f0a5bce7900cfbcc01228ef9b
Opcode Fuzzy Hash: f2aa790f9085783cc2a9030d909d546b5d07370b2f8c6efc4ec764b99a8b9c54
Instruction Fuzzy Hash: 22315A76608B818AEB608F60EC617ED7360FB89705F48403ADA4E87B99EF38D548C715

Function 00007FF628B43BE4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF628B43C10
GetCurrentThreadId.KERNEL32 ref: 00007FF628B43C1E
GetCurrentProcessId.KERNEL32 ref: 00007FF628B43C2A
QueryPerformanceCounter.KERNEL32 ref: 00007FF628B43C3A

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0276672fa070bc2c4ef3fd86ef9fb26e19d7fbff92688fdf569c2d60a7172a23
Instruction ID: 6c7eb376790cde60ee52a7f06649c4678f211633f42089957a1a1e571b7d76db
Opcode Fuzzy Hash: 0276672fa070bc2c4ef3fd86ef9fb26e19d7fbff92688fdf569c2d60a7172a23
Instruction Fuzzy Hash: 30114C26B14F058AEF00CB70EC652AC33A4FB5A759F440E36DA6D827A5DF38D1588380

Function 00007FF628B43B74 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461e366995084b33554bdb7452efeaf27cd1e663f7dc700abdf8bff6f2843dad
Instruction ID: 4d9b62b4b70fa6d3bad4803ec85360e774e0bc7deec4929e473d9de07f1ad72d
Opcode Fuzzy Hash: 461e366995084b33554bdb7452efeaf27cd1e663f7dc700abdf8bff6f2843dad
Instruction Fuzzy Hash: 34A00129908D06D0EE198B60AD625286220ABAA322B59003AD00D811619E2CA948824A

Function 00007FF628B42C30 Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42C8D
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42CAD
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42CBD
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42D06
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42D36
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42D58
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42D9E
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42DA5
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,00000001,00007FF628B427E7), ref: 00007FF628B42DB2

Memory Dump Source

Source File: 00000000.00000002.2278488279.00007FF628B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF628B40000, based on PE: true

Associated: 00000000.00000002.2278464273.00007FF628B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278512992.00007FF628B45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278538193.00007FF628B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2278559128.00007FF628B4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff628b40000_2PSj0qX4W6.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3274656010-0
Opcode ID: 1c69fbfb43a822db2c1053205ed4b05eb2a64257830f85884b741cf852c91941
Instruction ID: a7d8f292d3bc85e3679484d357668c308f5159dbc559112d17e9adb8a0087b26
Opcode Fuzzy Hash: 1c69fbfb43a822db2c1053205ed4b05eb2a64257830f85884b741cf852c91941
Instruction Fuzzy Hash: C5512236A08A4181EF208F29DDA123CA760EFC6F92B55C537CA5E837A1CF7ED4459349

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2PSj0qX4W6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2PSj0qX4W6.exe_f242d2db8512e499419d5b50699546c36555d67_204a2a81_1fa36391-52e8-4ce3-871e-969bb9376f15\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD67.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE53.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE83.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
2PSj0qX4W6.exe

Function 00007FF628B42890 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 233
librarymemoryencryptionCOMMON

Function 00007FF628B4350C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Function 0000009C38F0EA2B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF628B417B0 Relevance: 26.6, APIs: 17, Instructions: 1087
COMMON

Function 00007FF628B439CC Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF628B43BE4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Function 00007FF628B42C30 Relevance: 13.6, APIs: 9, Instructions: 124
COMMON