Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip

Overview

General Information

Sample name:MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip
Analysis ID:1540369
MD5:3d57cb1cc275eb4522386cb00cae085e
SHA1:13a15c678356d7a224c61f8c648d92d34f9e7dc2
SHA256:71a55309131b87067f75da4b40e570d4af840883a5ab91a4a041a84f3f365029
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a window with clipboard capturing capabilities
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6340 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
    • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ResourceHacker.exe (PID: 6680 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe" MD5: E726467125975003374A5CCE80621F72)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.1295581113.0000000000401000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.0.ResourceHacker.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Signatures

      Sigma detected: Conhost Spawned By Uncommon Parent Process
      Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6340, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6744, ProcessName: conhost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      There are no malicious signatures, click here to show all signatures.

      Source: ResourceHacker.exe, 00000009.00000000.1296112558.000000000091E000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.angusj.com
      Source: ResourceHacker.exe, 00000009.00000000.1296112558.000000000091E000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.angusj.com/resourcehacker/
      Source: ResourceHacker.exe, 00000009.00000000.1296112558.0000000000791000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.greenfishsoftware.org/
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
      Source: classification engineClassification label: clean2.winZIP@3/1@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6744:120:WilError_03
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeMutant created: \Sessions\1\BaseNamedObjects\ResourceHacker
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeFile created: C:\Users\user\AppData\Local\Temp\res909A.tmpJump to behavior
      Source: Yara matchFile source: 9.0.ResourceHacker.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000000.1295581113.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.iniJump to behavior
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe"
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: msftedit.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: olepro32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeFile written: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.iniJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeWindow found: window name: TMainFormJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zipStatic file information: File size 2201950 > 1048576
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Process Injection      		1
      Rundll32      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Clipboard Data      		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Process Injection      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager1
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 process2 2 Behavior Graph ID: 1540369 Sample: MDE_File_Sample_23cd0d899ad... Startdate: 23/10/2024 Architecture: WINDOWS Score: 2 5 rundll32.exe 2->5         started        7 ResourceHacker.exe 2 2->7         started        process3 9 conhost.exe 5->9         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.greenfishsoftware.org/ResourceHacker.exe, 00000009.00000000.1296112558.0000000000791000.00000002.00000001.01000000.00000006.sdmpfalse
        		unknown
        http://www.angusj.com/resourcehacker/ResourceHacker.exe, 00000009.00000000.1296112558.000000000091E000.00000002.00000001.01000000.00000006.sdmpfalse
          		unknown
          http://www.angusj.comResourceHacker.exe, 00000009.00000000.1296112558.000000000091E000.00000002.00000001.01000000.00000006.sdmpfalse
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1540369
            Start date and time:2024-10-23 17:45:37 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 34s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip
            Detection:CLEAN
            Classification:clean2.winZIP@3/1@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .zip

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe
            File Type:Generic INItialization configuration [MonospaceFont]
            Category:dropped
            Size (bytes):351
            Entropy (8bit):5.012615069641578
            Encrypted:false
            SSDEEP:6:8X80l4WGzCSvteSTK8FUr0Rhq3tFHjlL4TXA5oeNl9Mu7yomhwQFyn:680l4WlSc0Dq3Djl0rPqluu7T1n
            MD5:2FAB62CD0899574CCE418DA4EEB1D3E7
            SHA1:9C23B766BE7A037D6C6A57CECCFCA4834538328B
            SHA-256:2C6B4DB5129A5597562634E24711ADD9B9D516B1077246D49873A0BA67042426
            SHA-512:EEA88AE232E8FC2F947D60CDF071BBAF4A376C845A27C41D9E8B191A9AE8E4B9380606C649A7BB5A7EBC642E009230B03A6C462356708B8D17341B5AD2965D71
            Malicious:false
            Reputation:low
            Preview:[Setup]..left=240..top=272..width=800..height=440..MaximizedState=0..MenuEditMode=0..DisableGridlines=0..vsplit=200..LastDir=..ToolbarSize=1....[MonospaceFont]..Name=Courier New..Size=9..Color=-16777208..Style=0....[Font]..Name=Tahoma..Size=9..Color=-16777208..CharSet=1..Style=0....[MRU List]..MRU1=..MRU2=..MRU3=..MRU4=..MRU5=..MRU6=..MRU7=..MRU8=..

            Static File Info

            General

            File type:Zip archive data, at least v2.0 to extract, compression method=deflate
            Entropy (8bit):7.999912989019923
            TrID:
            • ZIP compressed archive (8000/1) 100.00%
            File name:MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip
            File size:2'201'950 bytes
            MD5:3d57cb1cc275eb4522386cb00cae085e
            SHA1:13a15c678356d7a224c61f8c648d92d34f9e7dc2
            SHA256:71a55309131b87067f75da4b40e570d4af840883a5ab91a4a041a84f3f365029
            SHA512:d57a11d383f4d668d8450b38e202debe444590fe61fbaaf6e03629120aa460a08cd80ec0349c44afaf0370c22d9627f05a84b1e05b28a26b20cc4a14e655986a
            SSDEEP:49152:bNm/INLZC/wVj54L5cDCjjVtLMi/Xlyi2LsfrZ5ONFYfXYK:bNm/8LZCCj+N/N/EsTZUFYfXL
            TLSH:4FA53322110B6277E635D8C160A3B124B4A354F9A8F983E8F3EF65F7143D9897E16DE0
            File Content Preview:PK.........}WY.d....!..pV...$.ResourceHacker.exe.. .........&C..b%..%C..b%...C..b%....<..1....3..*.....N........2..~..{...#...............x<....J....#-..+<|-.9uy=.(....3.O.w..?.aA'.2b.....?.......+E.._*.1....L.w..%.S..e.rk.....l.*.:.C..f[.4.....C%..y...`.

            File Icon

            Icon Hash:1c1c1e4e4ececedc

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:11:46:05
            Start date:23/10/2024
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Imagebase:0x7ff7dd680000
            File size:71'680 bytes
            MD5 hash:EF3179D498793BF4234F708D3BE28633
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:11:46:18
            Start date:23/10/2024
            Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_23cd0d899ada82527bfb8461d6df5489f19e8359.zip\ResourceHacker.exe"
            Imagebase:0x400000
            File size:5'664'768 bytes
            MD5 hash:E726467125975003374A5CCE80621F72
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1295581113.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            General

            Target ID:11
            Start time:11:47:16
            Start date:23/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6684c0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            No disassembly