Edit tour
Windows
Analysis Report
INCD-IronSwords-Operation-Guidelines-2024.exe
Overview
General Information
| Sample name: | INCD-IronSwords-Operation-Guidelines-2024.exe |
| Analysis ID: | 1537046 |
| MD5: | 2e6c607fe67f744a3b596e756933bc54 |
| SHA1: | a70a1dcb293a85ea60e00524bd21bcb94fb9ef5f |
| SHA256: | 7c585fbcc64c3dcdb5c1562868c97dea3c7f84f4edbf6c6c799834a03766ff65 |
| Tags: | exewww-oref-org-iluser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Uses 32bit PE files
Classification
- System is w10x64
INCD-IronSwords-Operation-Guidelines-2024.exe (PID: 7036 cmdline: "C:\Users\ user\Deskt op\INCD-Ir onSwords-O peration-G uidelines- 2024.exe" MD5: 2E6C607FE67F744A3B596E756933BC54) 
conhost.exe (PID: 2448 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_009E2593 | |
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 58% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Avira | HEUR/AGEN.1317001 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown | |
| www.oref.org.il | unknown | unknown | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1537046 |
| Start date and time: | 2024-10-18 14:16:14 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 42s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | INCD-IronSwords-Operation-Guidelines-2024.exe |
| Detection: | MAL |
| Classification: | mal64.winEXE@2/0@1/0 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded IPs from analysis (wh
itelisted): 2.19.126.154, 2.19 .126.151, 20.109.210.53, 13.95 .31.18 - Excluded domains from analysis
(whitelisted): client.wns.win dows.com, fe3.delivery.mp.micr osoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr .update.microsoft.com, a1254.b .akamai.net, ocsp.edge.digicer t.com, glb.cws.prod.dcat.dsp.t rafficmanager.net, sls.update. microsoft.com, www.oref.org.il .edgesuite.net, glb.sls.prod.d cat.dsp.trafficmanager.net, fe 3cr.delivery.mp.microsoft.com - Execution Graph export aborted
for target INCD-IronSwords-Op eration-Guidelines-2024.exe, P ID 7036 because there are no e xecuted function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - VT rate limit hit for: INCD-I
ronSwords-Operation-Guidelines -2024.exe
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | TechSupportScam | Browse |
| ||
| Get hash | malicious | Sality, XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.993619037598631 |
| TrID: |
|
| File name: | INCD-IronSwords-Operation-Guidelines-2024.exe |
| File size: | 9'798'656 bytes |
| MD5: | 2e6c607fe67f744a3b596e756933bc54 |
| SHA1: | a70a1dcb293a85ea60e00524bd21bcb94fb9ef5f |
| SHA256: | 7c585fbcc64c3dcdb5c1562868c97dea3c7f84f4edbf6c6c799834a03766ff65 |
| SHA512: | c7c76cbacce62a1560648daa8aa337cf0fbde458d571168d54fe5b78fd2abe9788647518bc137f18462909bb864862fd571a81dd4e1693159ba4ff59a0ebadde |
| SSDEEP: | 196608:Bh8DsT3M4ViqlXgbXh4wCCe6cXKwgExsgwtfjndALMPvhaoS89Cz3:Bh8DiIqlXA46eNKTEynfDdAwPvC57 |
| TLSH: | F9A63345F3A2C41DDCEBA5B00EB07FC2AB27F8791A519B07C3A2966C2E61FB51D105C2 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DG._.&...&...&..K^...&..K^...&..K^...&......&&.......&.......&..K^...&...&..U&.......&....1..&.......&..Rich.&................. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x402338 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65216332 [Sat Oct 7 13:54:58 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1fb5787bb2dca08ea282c0023bcd0c1c |
| Instruction |
|---|
| call 00007F92F90B2938h |
| jmp 00007F92F90B2509h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F92F90B26ABh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F92F90B269Ch |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F92F90B269Eh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F92F90B267Ch |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F92F90B268Bh |
| push esi |
| call 00007F92F90B2DF2h |
| test eax, eax |
| je 00007F92F90B26B2h |
| mov eax, dword ptr fs:[00000018h] |
| mov esi, 00D58964h |
| mov edx, dword ptr [eax+04h] |
| jmp 00007F92F90B2696h |
| cmp edx, eax |
| je 00007F92F90B26A2h |
| xor eax, eax |
| mov ecx, edx |
| lock cmpxchg dword ptr [esi], ecx |
| test eax, eax |
| jne 00007F92F90B2682h |
| xor al, al |
| pop esi |
| ret |
| mov al, 01h |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+08h], 00000000h |
| jne 00007F92F90B2699h |
| mov byte ptr [00D58968h], 00000001h |
| call 00007F92F90B2BDDh |
| call 00007F92F90B3301h |
| test al, al |
| jne 00007F92F90B2696h |
| xor al, al |
| pop ebp |
| ret |
| call 00007F92F90B9B24h |
| test al, al |
| jne 00007F92F90B269Ch |
| push 00000000h |
| call 00007F92F90B3308h |
| pop ecx |
| jmp 00007F92F90B267Bh |
| mov al, 01h |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp byte ptr [00D58969h], 00000000h |
| je 00007F92F90B2696h |
| mov al, 01h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1ed14 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x95a000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x95b000 | 0x12c4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1df98 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1ded8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x18000 | 0x12c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x16b8a | 0x16c00 | eb6a40c5d249ad02722f1e85c07ba09d | False | 0.5986435439560439 | COM executable for DOS | 6.658229702733383 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x18000 | 0x73be | 0x7400 | c1b2e8586db13c600556b5d1aedbbc0c | False | 0.48016567887931033 | data | 5.25161682151725 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x20000 | 0x939530 | 0x938a00 | a862ea650d266ef36f0127f066380bff | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x95a000 | 0x1e0 | 0x200 | 770db2e47ffb208f2afd44290c666f1e | False | 0.533203125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x95b000 | 0x12c4 | 0x1400 | d899a7cc5f8b01aeb2db73bbc1d85a0c | False | 0.753515625 | data | 6.410558964853972 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x95a060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | Sleep, CopyFileA, GetLastError, WriteConsoleW, SetEndOfFile, HeapSize, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetFileType, CloseHandle, HeapReAlloc, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetProcessHeap, CreateFileW, FlushFileBuffers, DecodePointer |
| USER32.dll | MessageBoxA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 18, 2024 14:17:09.639127970 CEST | 56465 | 53 | 192.168.2.6 | 1.1.1.1 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 18, 2024 14:17:09.639127970 CEST | 192.168.2.6 | 1.1.1.1 | 0x8bc7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 18, 2024 14:17:09.647754908 CEST | 1.1.1.1 | 192.168.2.6 | 0x8bc7 | No error (0) | www.oref.org.il.edgesuite.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 18, 2024 14:17:24.919292927 CEST | 1.1.1.1 | 192.168.2.6 | 0xe772 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 18, 2024 14:17:24.919292927 CEST | 1.1.1.1 | 192.168.2.6 | 0xe772 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:17:08 |
| Start date: | 18/10/2024 |
| Path: | C:\Users\user\Desktop\INCD-IronSwords-Operation-Guidelines-2024.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9e0000 |
| File size: | 9'798'656 bytes |
| MD5 hash: | 2E6C607FE67F744A3B596E756933BC54 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 08:17:08 |
| Start date: | 18/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
⊘No disassembly
