Edit tour

Windows Analysis Report
2PSj0qX4W6.exe

Overview

General Information

Sample name:	2PSj0qX4W6.exe renamed because original name is a hash value
Original sample name:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3.exe
Analysis ID:	1508524
MD5:	c92c541048de8be340a990db10e7cbab
SHA1:	50f7ef4239b9fd0358b10a8b3106871e2de1fd29
SHA256:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3
Tags:	116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2PSj0qX4W6.exe (PID: 5840 cmdline: "C:\Users\user\Desktop\2PSj0qX4W6.exe" MD5: C92C541048DE8BE340A990DB10E7CBAB)

WerFault.exe (PID: 5492 cmdline: C:\Windows\system32\WerFault.exe -u -p 5840 -s 1196 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0xeeb1:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0xef1d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0xa81:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0xaed:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-10T10:59:33.655829+0200	2028765	3	Unknown Traffic	192.168.2.6	49710	116.198.231.169	63222	TCP
2024-09-10T10:59:37.773973+0200	2028765	3	Unknown Traffic	192.168.2.6	49714	116.198.231.169	63222	TCP
2024-09-10T10:59:41.893384+0200	2028765	3	Unknown Traffic	192.168.2.6	49718	116.198.231.169	63222	TCP
2024-09-10T10:59:46.078353+0200	2028765	3	Unknown Traffic	192.168.2.6	49721	116.198.231.169	63222	TCP
2024-09-10T10:59:50.311099+0200	2028765	3	Unknown Traffic	192.168.2.6	49729	116.198.231.169	63222	TCP
2024-09-10T10:59:54.409893+0200	2028765	3	Unknown Traffic	192.168.2.6	49733	116.198.231.169	63222	TCP
2024-09-10T10:59:58.570098+0200	2028765	3	Unknown Traffic	192.168.2.6	49736	116.198.231.169	63222	TCP
2024-09-10T11:00:02.676980+0200	2028765	3	Unknown Traffic	192.168.2.6	49739	116.198.231.169	63222	TCP
2024-09-10T11:00:06.754121+0200	2028765	3	Unknown Traffic	192.168.2.6	49743	116.198.231.169	63222	TCP
2024-09-10T11:00:10.906680+0200	2028765	3	Unknown Traffic	192.168.2.6	49746	116.198.231.169	63222	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2PSj0qX4W6.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Multi AV Scanner detection for submitted file

Source: 2PSj0qX4W6.exe	ReversingLabs: Detection: 50%
Source: 2PSj0qX4W6.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: 2PSj0qX4W6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb source: 2PSj0qX4W6.exe
Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb(( source: 2PSj0qX4W6.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://116.198.231.169:63222/jquery-3.3.2.slim.min.js
Source: Malware configuration extractor	URLs: http://116.198.231.169/jquery-3.3.2.slim.min.js

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 116.198.231.169:63222

Source: Joe Sandbox View

IP Address: 116.198.231.169 116.198.231.169

Source: Joe Sandbox View

ASN Name: CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49710 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49746 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49714 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49729 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49733 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49721 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49736 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49743 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49718 -> 116.198.231.169:63222
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49739 -> 116.198.231.169:63222

Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.198.231.169

Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE81E000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2425824737.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2487535741.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2466881398.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2446877050.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE81E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169/
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/7
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/ft
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsUb
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.198.231.169:63222/ocal

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF77CA517B0

0_2_00007FF77CA517B0

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5840 -s 1196

Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal96.troj.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5840

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\757974aa-b1eb-48d5-a47b-6a157b07f2c8

Jump to behavior

Source: 2PSj0qX4W6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2PSj0qX4W6.exe	ReversingLabs: Detection: 50%
Source: 2PSj0qX4W6.exe	Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\2PSj0qX4W6.exe "C:\Users\user\Desktop\2PSj0qX4W6.exe"
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5840 -s 1196

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 2PSj0qX4W6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2PSj0qX4W6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2PSj0qX4W6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2PSj0qX4W6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb source: 2PSj0qX4W6.exe
Source:	Binary string: \ConsoleApplication3\x64\Release\ConsoleApplication3.pdb(( source: 2PSj0qX4W6.exe

Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2PSj0qX4W6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_0000006751CFEB9B push eax; ret		0_2_0000006751CFEDF7
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_0000006751CFED79 push eax; ret		0_2_0000006751CFEDF7

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE842000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF77CA539CC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF77CA539CC

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF77CA539CC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77CA539CC
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF77CA52F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF77CA52F04
Source: C:\Users\user\Desktop\2PSj0qX4W6.exe	Code function: 0_2_00007FF77CA53B74 SetUnhandledExceptionFilter,	0_2_00007FF77CA53B74

Source: C:\Users\user\Desktop\2PSj0qX4W6.exe

Code function: 0_2_00007FF77CA53BE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77CA53BE4

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2PSj0qX4W6.exe	50%	ReversingLabs	Win64.Backdoor.MeterpreterReverseShell
2PSj0qX4W6.exe	44%	Virustotal		Browse
2PSj0qX4W6.exe	100%	Avira	TR/AD.MeterpreterSC.jtwai

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
https://116.198.231.169/	0%	Virustotal		Browse
https://116.198.231.169:63222/ft	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsUb	0%	Avira URL Cloud	safe
http://code.jquery.com/	0%	Avira URL Cloud	safe
http://code.jquery.com/	1%	Virustotal		Browse
https://116.198.231.169/	0%	Avira URL Cloud	safe
http://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Virustotal		Browse
https://116.198.231.169:63222/ocal	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/7	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
http://116.198.231.169/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/	0%	Avira URL Cloud	safe
https://116.198.231.169:63222/	0%	Virustotal		Browse
https://116.198.231.169:63222/7	0%	Virustotal		Browse
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://116.198.231.169:63222/jquery-3.3.2.slim.min.js	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://116.198.231.169/jquery-3.3.2.slim.min.js	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://code.jquery.com/	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE81E000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2425824737.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2487535741.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2466881398.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000003.2446877050.000001C8FE852000.00000004.00000020.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://116.198.231.169:63222/ft	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsUb	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169/	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE81E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/ocal	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/7	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/jquery-3.3.2.slim.min.js	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.198.231.169:63222/	2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE7CC000.00000004.00000020.00020000.00000000.sdmp, 2PSj0qX4W6.exe, 00000000.00000002.2896706346.000001C8FE803000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.198.231.169	unknown	China		137699	CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508524
Start date and time:	2024-09-10 10:58:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2PSj0qX4W6.exe renamed because original name is a hash value
Original Sample Name:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 3 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
116.198.231.169	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	TEiot52yrz.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	TEiot52yrz.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	LtmV2sDcTK.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	QT2hJT3Syn.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.198.231.169
	gOEF4WOJ3c.elf	Get hash	malicious	Unknown	Browse	116.198.238.210

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2PSj0qX4W6.exe_19f854f94ebec8a53e578b27f2981d17a41520_204a2a81_4b64f7ab-9feb-4a18-a761-40cb3ed13609\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9252966262023578
Encrypted:	false
SSDEEP:	96:bUFHUdFg9sPsShq1ooh7Ry6NbQXIDcQWc6zcEZcw373+HbHg/JgwPt8sKa9bATFi:bMMysPiS0I3D0jc4TzuiFr9Z24lO8c
MD5:	F812271DDC55AAEF99034078E4BB68E9
SHA1:	8EB1CEF274CD1EF4D29CFFB08A8D768E617F5609
SHA-256:	A42795396D1E569675D0B468F1ED0728B1CC0E994E618D6B237F528BB4D9B4D0
SHA-512:	C5374AA11F7534C5FBF3305779E64C3C361D3C3A48B23E03162C741D445B8DF24080C7386F1E68A4A10731A74EE48183127B7BB8A9222725D2E2E2FF3CAF89FC
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.4.1.2.5.2.4.0.6.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.4.1.2.8.9.9.0.6.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.6.4.f.7.a.b.-.9.f.e.b.-.4.a.1.8.-.a.7.6.1.-.4.0.c.b.3.e.d.1.3.6.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.0.3.1.c.2.d.-.1.2.1.7.-.4.8.c.1.-.b.1.4.7.-.a.6.8.0.f.f.a.1.1.b.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.2.P.S.j.0.q.X.4.W.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.d.0.-.0.0.0.1.-.0.0.1.5.-.e.9.a.a.-.9.1.b.e.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.a.1.4.5.0.4.e.b.2.0.c.3.f.1.c.a.8.1.d.a.b.8.b.1.a.2.5.3.e.c.7.0.0.0.0.f.f.f.f.!.0.0.0.0.5.0.f.7.e.f.4.2.3.9.b.9.f.d.0.3.5.8.b.1.0.a.8.b.3.1.0.6.8.7.1.e.2.d.e.1.f.d.2.9.!.2.P.S.j.0.q.X.4.W.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.1.:.1.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 10 09:00:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	139668
Entropy (8bit):	1.4580377854415398
Encrypted:	false
SSDEEP:	384:3XYZ819UXBhM6pxN0hPQD7Yhox5xZx5xGxmxfx/xfxsxmUiJmBC7UvQJ6l8bw4Ue:3oZ+9xQvYVC7w8H
MD5:	0F27339EA89F09329ABF12ADFE3BC7B2
SHA1:	C62363054D85E3EECFFD4E676AA596B1B99AD60A
SHA-256:	8ADB11DA4FCADC33A3D9AF67B1A3AB09000217B0E7CA1C509551EBAD9F9A1AB2
SHA-512:	2DD100BAF4473A2E5B4D34ABDBA0076F0FAACA587E2B48B3AC1C99BF742B06E1A3E5F065F9B7397FB68C59D05714EA72C778F99D773C770E312390F00EFC4CBE
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... ..........f........................................,S..........T.......8...........T...........x...............P...........<...............................................................................eJ..............Lw......................T...........q..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE72D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8898
Entropy (8bit):	3.7040484298831475
Encrypted:	false
SSDEEP:	192:R6l7wVeJH5UD6Y2DUnturgmfXopDB89bMEUfoEm:R6lXJZA6Y5nturgmfXLM/fq
MD5:	ED37B24945E6CA9CA857AA55125D1C34
SHA1:	0219BC0FC74652BF9E060F05CF654D5D2E13812C
SHA-256:	B995CDC3A33C8AE351DF1DA104CEEC6B03EEA5C09688638A4BCD25B88B4981FE
SHA-512:	4A75AAC1DFBBA1E25FCF2D4A0D0BC5844848CE067FA8E6F96CEF68EF0908AAFC46736B894D06979D05C2682DB0A62B37926A0D6DE49845F3B1C40FC503BDFBC9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE75D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.483424828149646
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJJg771I9dktWpW8VYvYm8M4J88O1F0yq8vY8OgQdmeywVw9d:uIjfbI7Rc7V3JVjWxXQ9XO9d
MD5:	218FFE2992E37E3FF09C21A3CE2BB7AE
SHA1:	8E095A533EA1DC698D009C8A7FC3C843A205C04B
SHA-256:	D6A4348B5E5FD282555D431DFDE5C714BD935A5B8E316A547961FC0343148821
SHA-512:	E63E873E6DB6B0B3767866B69CD9D7A934EB500A25D37C77D30515DF714B787CB512734A975FF3651533925FB29B88E1445961D674304770B7852C01F5BD4F7C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493922" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468715503812749
Encrypted:	false
SSDEEP:	6144:4zZfpi6ceLPx9skLmb0f3ZWSP3aJG8nAgeiJRMMhA2zX4WABluuN9jDH5S:uZHt3ZWOKnMM6bFpjj4
MD5:	BE72C90B6B7FB65E37EB96C4C87C9E33
SHA1:	560B679C5D0F6B59BA7C4563CA6330980619B8E1
SHA-256:	5C4BB100907085D8CBF6BBEDD4ABD8B573922ED4799D403A9416E8FE7183E3EC
SHA-512:	DBA45191E3C706A731EDEF1FB5D81853233B3E13881B587240AB16D479FA3BAC35B09ACBA9D9E0F36CB9FDDE518F3C65650FE36781228B9624CA1B7F5FCD873A
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.ja._.................................................................................................................................................................................................................................................................................................................................................w.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.837840610486668
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2PSj0qX4W6.exe
File size:	39'424 bytes
MD5:	c92c541048de8be340a990db10e7cbab
SHA1:	50f7ef4239b9fd0358b10a8b3106871e2de1fd29
SHA256:	31a89af6712da7bd56b1033952468302bd0838d48c6712c5499c60178f4d95a3
SHA512:	fa1b8808c7ea8ff81ef4b30095b896098e29c8c281f9bcfd0570469da9bea3b1d9a20aeb75f79dcf2ae4d933442b1d1094bc16156dbd98dadc0f5ff115f8dccb
SSDEEP:	768:+mOM8UGqSc62S1MdS4o8BWPKbKqB5SW2pegUxHTo:+hM2qSO9S4oqijdM1V
TLSH:	8E039D5A7B40C9EEDC6A4339C113A91AF3B378211752BADF57D542620E623E1BC7B092
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-$..iE.^iE.^iE.^`=p^eE.^..._jE.^..._cE.^..._rE.^..._oE.^"=._lE.^iE.^9E.^z.._jE.^z..^hE.^z.._hE.^RichiE.^........PE..d.....uf...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140003688
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667590C5 [Fri Jun 21 14:40:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6b40e87f57848366f8223dc72adc8105

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1AF0CD3B18h
dec eax
add esp, 28h
jmp 00007F1AF0CD3437h
int3
int3
jmp 00007F1AF0CD3D4Eh
int3
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00001CD0h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [00001CB5h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1AF0CD3597h
dec eax
lea edx, dword ptr [00006597h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1AF0CD3C64h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F1AF0CD361Dh
dec eax
or dword ptr [00007959h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00000041h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d5c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xc000	0x2dc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0x74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9260	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9120	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30b4	0x3200	e9963f482a3d6e7f4e75fe743c2953bf	False	0.585234375	data	6.257536886152972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x5914	0x5a00	0d9164bef9ec87f2b9facc8891c7342f	False	0.6498263888888889	data	7.192253966884054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x7a0	0x200	e58308d815ae9f347d76df3fe7a185db	False	0.251953125	DOS executable (block device driver)	2.229094667815011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xc000	0x2dc	0x400	99db291c0f94381619f68f9a01ef2c14	False	0.3837890625	data	3.0805904685737957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xd000	0x1e0	0x200	44e3d39532c9319314b3e7669556d25a	False	0.529296875	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0x74	0x200	f4ff1a136d814031024657417835019e	False	0.23046875	data	1.3772139608147294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xd060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, LoadLibraryA, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, IsDebuggerPresent, VirtualProtect
MSVCP140.dll	?good@ios_base@std@@QEBA_NXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
CRYPT32.dll	CertEnumSystemStore
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memset, __current_exception_context, __current_exception, _CxxThrowException, __C_specific_handler, memcpy, __std_exception_copy, __std_exception_destroy, memchr, __std_terminate
api-ms-win-crt-string-l1-1-0.dll	isalnum
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, __p___argv, __p___argc, terminate, _exit, exit, _initterm_e, _register_thread_local_exe_atexit_callback, _initterm, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _get_initial_narrow_environment, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-heap-l1-1-0.dll	free, _callnewh, _set_new_mode, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-10T10:59:33.655829+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49710	116.198.231.169	63222	TCP
2024-09-10T10:59:37.773973+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49714	116.198.231.169	63222	TCP
2024-09-10T10:59:41.893384+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49718	116.198.231.169	63222	TCP
2024-09-10T10:59:46.078353+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49721	116.198.231.169	63222	TCP
2024-09-10T10:59:50.311099+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49729	116.198.231.169	63222	TCP
2024-09-10T10:59:54.409893+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49733	116.198.231.169	63222	TCP
2024-09-10T10:59:58.570098+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49736	116.198.231.169	63222	TCP
2024-09-10T11:00:02.676980+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49739	116.198.231.169	63222	TCP
2024-09-10T11:00:06.754121+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49743	116.198.231.169	63222	TCP
2024-09-10T11:00:10.906680+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49746	116.198.231.169	63222	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 10:59:30.720750093 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:30.728576899 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:30.728693962 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:30.737454891 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:30.746562004 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.655555964 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.655828953 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.655936956 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.656651974 CEST	49712	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.657365084 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.657454014 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.657922029 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.657977104 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.658705950 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.658761024 CEST	49710	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.661962032 CEST	63222	49710	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.661978960 CEST	63222	49712	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:33.662067890 CEST	49712	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.662364006 CEST	49712	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:33.667212009 CEST	63222	49712	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.690254927 CEST	63222	49712	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.690326929 CEST	49712	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.690413952 CEST	49712	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.691039085 CEST	49713	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.695231915 CEST	63222	49712	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.696063995 CEST	63222	49713	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.696125031 CEST	49713	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.698559999 CEST	49713	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.700242043 CEST	49714	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.703449011 CEST	63222	49713	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.703567028 CEST	63222	49713	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.705111980 CEST	63222	49714	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:35.705142975 CEST	49713	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.705204964 CEST	49714	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.705763102 CEST	49714	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:35.710582018 CEST	63222	49714	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:37.773899078 CEST	63222	49714	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:37.773972988 CEST	49714	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:37.774070978 CEST	49714	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:37.774682999 CEST	49715	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:37.778806925 CEST	63222	49714	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:37.779463053 CEST	63222	49715	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:37.779526949 CEST	49715	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:37.779762030 CEST	49715	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:37.784501076 CEST	63222	49715	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.799499989 CEST	63222	49715	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.799578905 CEST	49715	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.799685955 CEST	49715	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.800352097 CEST	49717	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.805425882 CEST	63222	49715	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.806435108 CEST	63222	49717	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.806535959 CEST	49717	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.806710005 CEST	49717	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.808470011 CEST	49718	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.812413931 CEST	63222	49717	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.812480927 CEST	49717	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.814269066 CEST	63222	49718	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:39.816961050 CEST	49718	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.817298889 CEST	49718	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:39.822118044 CEST	63222	49718	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:41.893270969 CEST	63222	49718	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:41.893383980 CEST	49718	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:41.893472910 CEST	49718	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:41.893949986 CEST	49719	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:41.898272991 CEST	63222	49718	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:41.898824930 CEST	63222	49719	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:41.898905993 CEST	49719	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:41.899262905 CEST	49719	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:41.904879093 CEST	63222	49719	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.919490099 CEST	63222	49719	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.919723034 CEST	49719	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.919836998 CEST	49719	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.920530081 CEST	49720	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.924664021 CEST	63222	49719	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.926518917 CEST	63222	49720	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.926613092 CEST	49720	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.926692009 CEST	49720	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.935798883 CEST	63222	49720	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.935813904 CEST	63222	49720	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.935887098 CEST	49720	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.946899891 CEST	49721	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.952742100 CEST	63222	49721	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:43.952832937 CEST	49721	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.953110933 CEST	49721	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:43.958360910 CEST	63222	49721	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:46.078262091 CEST	63222	49721	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:46.078352928 CEST	49721	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:46.078413963 CEST	49721	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:46.078876972 CEST	49722	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:46.083461046 CEST	63222	49721	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:46.083781004 CEST	63222	49722	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:46.083849907 CEST	49722	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:46.084161043 CEST	49722	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:46.089684010 CEST	63222	49722	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.157211065 CEST	63222	49722	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.157284975 CEST	49722	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.157392025 CEST	49722	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.157861948 CEST	49728	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.164355993 CEST	63222	49722	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.166410923 CEST	63222	49728	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.166484118 CEST	49728	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.166604996 CEST	49728	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.168023109 CEST	49729	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.173434019 CEST	63222	49728	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.173491001 CEST	49728	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.174988985 CEST	63222	49729	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:48.175112009 CEST	49729	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.175410032 CEST	49729	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:48.180566072 CEST	63222	49729	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:50.311037064 CEST	63222	49729	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:50.311099052 CEST	49729	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:50.311172009 CEST	49729	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:50.311872959 CEST	49731	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:50.315984964 CEST	63222	49729	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:50.316875935 CEST	63222	49731	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:50.316977024 CEST	49731	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:50.317272902 CEST	49731	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:50.322021008 CEST	63222	49731	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.367132902 CEST	63222	49731	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.367230892 CEST	49731	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.367342949 CEST	49731	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.367826939 CEST	49732	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.372170925 CEST	63222	49731	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.372714996 CEST	63222	49732	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.372781038 CEST	49732	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.372848034 CEST	49732	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.374197006 CEST	49733	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.378457069 CEST	63222	49732	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.378515005 CEST	49732	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.379097939 CEST	63222	49733	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:52.379152060 CEST	49733	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.379435062 CEST	49733	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:52.384382010 CEST	63222	49733	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:54.409831047 CEST	63222	49733	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:54.409893036 CEST	49733	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:54.409981966 CEST	49733	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:54.414793015 CEST	63222	49733	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:54.416822910 CEST	49734	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:54.421756029 CEST	63222	49734	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:54.421832085 CEST	49734	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:54.422163010 CEST	49734	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:54.427814960 CEST	63222	49734	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.475197077 CEST	63222	49734	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.475317001 CEST	49734	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.475428104 CEST	49734	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.479209900 CEST	49735	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.480391026 CEST	63222	49734	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.484093904 CEST	63222	49735	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.484168053 CEST	49735	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.484318972 CEST	49735	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.486936092 CEST	49736	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.489562988 CEST	63222	49735	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.489629984 CEST	49735	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.492364883 CEST	63222	49736	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:56.492669106 CEST	49736	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.492971897 CEST	49736	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:56.497777939 CEST	63222	49736	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:58.570008993 CEST	63222	49736	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:58.570097923 CEST	49736	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:58.571727037 CEST	49736	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:58.574446917 CEST	49737	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:58.576970100 CEST	63222	49736	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:58.579792023 CEST	63222	49737	116.198.231.169	192.168.2.6
Sep 10, 2024 10:59:58.579859018 CEST	49737	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:58.580430031 CEST	49737	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 10:59:58.585581064 CEST	63222	49737	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.676857948 CEST	63222	49737	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.676930904 CEST	49737	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.677011967 CEST	49737	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.679893970 CEST	49738	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.682952881 CEST	63222	49737	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.685765028 CEST	63222	49738	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.685822010 CEST	49738	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.685879946 CEST	49738	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.686971903 CEST	49739	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.691569090 CEST	63222	49738	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.691621065 CEST	49738	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.691772938 CEST	63222	49739	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:00.691836119 CEST	49739	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.692034006 CEST	49739	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:00.696796894 CEST	63222	49739	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:02.676904917 CEST	63222	49739	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:02.676980019 CEST	49739	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:02.677057028 CEST	49739	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:02.681301117 CEST	49740	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:02.681874990 CEST	63222	49739	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:02.686177969 CEST	63222	49740	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:02.686255932 CEST	49740	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:02.686887980 CEST	49740	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:02.691689968 CEST	63222	49740	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.742826939 CEST	63222	49740	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.742902994 CEST	49740	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.742984056 CEST	49740	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.745366096 CEST	49742	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.747920990 CEST	63222	49740	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.750256062 CEST	63222	49742	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.750327110 CEST	49742	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.750435114 CEST	49742	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.751815081 CEST	49743	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.755709887 CEST	63222	49742	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.755754948 CEST	49742	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.756675959 CEST	63222	49743	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:04.756742954 CEST	49743	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.756972075 CEST	49743	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:04.761814117 CEST	63222	49743	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:06.754056931 CEST	63222	49743	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:06.754121065 CEST	49743	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:06.754240036 CEST	49743	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:06.759197950 CEST	63222	49743	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:06.759752035 CEST	49744	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:06.764728069 CEST	63222	49744	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:06.765093088 CEST	49744	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:06.765093088 CEST	49744	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:06.770709991 CEST	63222	49744	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.873779058 CEST	63222	49744	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.873878002 CEST	49744	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.873955965 CEST	49744	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.876344919 CEST	49745	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.880786896 CEST	63222	49744	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.883395910 CEST	63222	49745	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.883481979 CEST	49745	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.883650064 CEST	49745	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.887233019 CEST	49746	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.890755892 CEST	63222	49745	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.890825033 CEST	49745	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.894006014 CEST	63222	49746	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:08.894078016 CEST	49746	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.894349098 CEST	49746	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:08.901087999 CEST	63222	49746	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:10.902652979 CEST	63222	49746	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:10.906680107 CEST	49746	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:10.906754971 CEST	49746	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:10.909368038 CEST	49747	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:10.913419962 CEST	63222	49746	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:10.915198088 CEST	63222	49747	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:10.918633938 CEST	49747	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:10.918930054 CEST	49747	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:10.924865961 CEST	63222	49747	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:12.957307100 CEST	63222	49747	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:12.957408905 CEST	49747	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:12.957540989 CEST	49747	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:12.960448980 CEST	49748	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:12.962397099 CEST	63222	49747	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:12.965328932 CEST	63222	49748	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:12.965421915 CEST	49748	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:12.965591908 CEST	49748	63222	192.168.2.6	116.198.231.169
Sep 10, 2024 11:00:12.970629930 CEST	63222	49748	116.198.231.169	192.168.2.6
Sep 10, 2024 11:00:12.970714092 CEST	49748	63222	192.168.2.6	116.198.231.169

Target ID:	0
Start time:	04:59:29
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\2PSj0qX4W6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2PSj0qX4W6.exe"
Imagebase:	0x7ff77ca50000
File size:	39'424 bytes
MD5 hash:	C92C541048DE8BE340A990DB10E7CBAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:00:12
Start date:	10/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5840 -s 1196
Imagebase:	0x7ff72d3f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	30%
Total number of Nodes:	253
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF77CA52890 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 233
librarymemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF77CA528D8
memcpy.VCRUNTIME140 ref: 00007FF77CA52971
memcpy.VCRUNTIME140 ref: 00007FF77CA52A12
memset.VCRUNTIME140 ref: 00007FF77CA52A80
memset.VCRUNTIME140 ref: 00007FF77CA52AD2
LoadLibraryA.KERNEL32 ref: 00007FF77CA52B80
VirtualProtect.KERNELBASE ref: 00007FF77CA52B9A
CertEnumSystemStore.CRYPT32 ref: 00007FF77CA52BAE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA52BE7

Part of subcall function 00007FF77CA531A4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF77CA5100E), ref: 00007FF77CA531BE

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77CA52C27

Strings

kernel32.dll, xrefs: 00007FF77CA52B79
fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G, xrefs: 00007FF77CA528CB

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: memcpy$memset$CertConcurrency::cancel_current_taskEnumLibraryLoadProtectStoreSystemVirtual_invalid_parameter_noinfo_noreturnmalloc
String ID: fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G$kernel32.dll
API String ID: 150564791-1552992655
Opcode ID: ffa8f0ba843f4013f44525dfc9840ffd1d381b7730647cc0e71a19c35832ef2a
Instruction ID: bd2bf7aec76efc8027e292688d17250501db719a2d8295e22a95f3212de1e712
Opcode Fuzzy Hash: ffa8f0ba843f4013f44525dfc9840ffd1d381b7730647cc0e71a19c35832ef2a
Instruction Fuzzy Hash: 7EA1A323B3868685EB20DB20F440AADA361FB49795FC28732DB5D47696DF38E145C710

Function 00007FF77CA5350C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77CA53535
__scrt_release_startup_lock.LIBCMT ref: 00007FF77CA535A3
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA535F1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA535F6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA535FE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA53606
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA53628
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77CA53682

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: df102f85938d3cac35a7069fa22ae6c53ea1cb25a1aa4727b64a6a950befc1c6
Instruction ID: 74d543b75b1f2efc695acce52ae99073c62256344bd8a73388f44c10168a8c29
Opcode Fuzzy Hash: df102f85938d3cac35a7069fa22ae6c53ea1cb25a1aa4727b64a6a950befc1c6
Instruction Fuzzy Hash: 92312913F3A60242EB10BB65B411BB9E291AF88782FC6C434EB0D076D7DE2DE4048260

Function 0000006751CFEB9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000006751CFEBB6

Strings

U.;, xrefs: 0000006751CFEBB1

Memory Dump Source

Source File: 00000000.00000002.2896570979.0000006751CFE000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000006751CFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6751cfe000_2PSj0qX4W6.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction ID: cafdd04c6bb284505b192317716b2efab7c5bf1e50111015bebf52c1c68a5994
Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction Fuzzy Hash: FB117CA034890D1BF61C819D7C6A73622CAD7C975AF25827FB50FC32D6DD948C93405A

Non-executed Functions

Function 00007FF77CA517B0 Relevance: 26.6, APIs: 17, Instructions: 1087
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF77CA52807), ref: 00007FF77CA51811
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF77CA52807), ref: 00007FF77CA51880

Part of subcall function 00007FF77CA531A4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF77CA5100E), ref: 00007FF77CA531BE

memcpy.VCRUNTIME140(00000000,?,?,00007FF77CA52807), ref: 00007FF77CA518A3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77CA518C8
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF77CA52807), ref: 00007FF77CA519B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF77CA52807), ref: 00007FF77CA519EE
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF77CA52807), ref: 00007FF77CA519F8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77CA51A2B

Part of subcall function 00007FF77CA531A4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77CA531D4
Part of subcall function 00007FF77CA531A4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77CA531DA

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemcpy$_invalid_parameter_noinfo_noreturn$malloc
String ID:
API String ID: 1057630676-0
Opcode ID: 464bffc901c1c071010548c694ba76aea8e22709931f1539bc19d3fd378ea19e
Instruction ID: a4d26907f7b7776e3e1ba507700a6a22bb64b7f6ac83d2d337fa33c4e0b6556f
Opcode Fuzzy Hash: 464bffc901c1c071010548c694ba76aea8e22709931f1539bc19d3fd378ea19e
Instruction Fuzzy Hash: 64A228737282D18AE7259F29B4406FABBA1F74978AF868235DB8D47785CB3CE501C710

Function 00007FF77CA539CC Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF77CA539E8
memset.VCRUNTIME140 ref: 00007FF77CA53A0C
RtlCaptureContext.KERNEL32 ref: 00007FF77CA53A15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77CA53A2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF77CA53A70
memset.VCRUNTIME140 ref: 00007FF77CA53AA3
IsDebuggerPresent.KERNEL32 ref: 00007FF77CA53AC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77CA53AE1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77CA53AEC

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f2aa790f9085783cc2a9030d909d546b5d07370b2f8c6efc4ec764b99a8b9c54
Instruction ID: 9e59ac22707c9c221e46e35c929cd4e6c600e4af85117503bc413186e4353401
Opcode Fuzzy Hash: f2aa790f9085783cc2a9030d909d546b5d07370b2f8c6efc4ec764b99a8b9c54
Instruction Fuzzy Hash: 82311D67B29B818AEB609F60F8507A9A360FB88705F818439DB4E47A95EE38D548C710

Function 00007FF77CA53BE4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF77CA53C10
GetCurrentThreadId.KERNEL32 ref: 00007FF77CA53C1E
GetCurrentProcessId.KERNEL32 ref: 00007FF77CA53C2A
QueryPerformanceCounter.KERNEL32 ref: 00007FF77CA53C3A

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0276672fa070bc2c4ef3fd86ef9fb26e19d7fbff92688fdf569c2d60a7172a23
Instruction ID: 7fd76fe9eb8417e07ec6fc4bc9cd0f046c9485978a8725ac4fc03517d46b5040
Opcode Fuzzy Hash: 0276672fa070bc2c4ef3fd86ef9fb26e19d7fbff92688fdf569c2d60a7172a23
Instruction Fuzzy Hash: 4C114C22B24F058AEB009B60F8546B973A4FB1D759F850A31EF2D427A4DF38D1588390

Function 00007FF77CA53B74 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461e366995084b33554bdb7452efeaf27cd1e663f7dc700abdf8bff6f2843dad
Instruction ID: b4fdf1b7a0a0805aebff711d745102f18cf088e753e3bee8333f5358700e1f20
Opcode Fuzzy Hash: 461e366995084b33554bdb7452efeaf27cd1e663f7dc700abdf8bff6f2843dad
Instruction Fuzzy Hash: 23A00126E39D02E4EB04AB40F950820E220ABA8322B838035E20E41060DE6CA5548261

Function 00007FF77CA52C30 Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52C8D
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52CAD
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52CBD
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52D06
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52D36
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52D58
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52D9E
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52DA5
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,00000001,00007FF77CA527E7), ref: 00007FF77CA52DB2

Memory Dump Source

Source File: 00000000.00000002.2896924563.00007FF77CA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CA50000, based on PE: true

Associated: 00000000.00000002.2896888891.00007FF77CA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896937029.00007FF77CA55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896951100.00007FF77CA5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2896971827.00007FF77CA5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77ca50000_2PSj0qX4W6.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3274656010-0
Opcode ID: 1c69fbfb43a822db2c1053205ed4b05eb2a64257830f85884b741cf852c91941
Instruction ID: 8500872ba98e769f42bf40b40b4933426edc0927dbc36b0d2ec82d40503ec16f
Opcode Fuzzy Hash: 1c69fbfb43a822db2c1053205ed4b05eb2a64257830f85884b741cf852c91941
Instruction Fuzzy Hash: D8512133728A4185EB20AB19F590A38E760EF89F96B96C631DB5F837A1CF2DD4458350

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2PSj0qX4W6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2PSj0qX4W6.exe_19f854f94ebec8a53e578b27f2981d17a41520_204a2a81_4b64f7ab-9feb-4a18-a761-40cb3ed13609\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE651.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE72D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE75D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
2PSj0qX4W6.exe

Function 00007FF77CA52890 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 233
librarymemoryencryptionCOMMON

Function 00007FF77CA5350C Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Function 0000006751CFEB9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF77CA517B0 Relevance: 26.6, APIs: 17, Instructions: 1087
COMMON

Function 00007FF77CA539CC Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF77CA53BE4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Function 00007FF77CA52C30 Relevance: 13.6, APIs: 9, Instructions: 124
COMMON