Edit tour

Windows Analysis Report
SiemensServer.exe

Overview

General Information

Sample name:	SiemensServer.exe
Analysis ID:	1540992
MD5:	029364d616c12c1a6ce3f141b3fc5e49
SHA1:	8c2e3778aadeca8f05c06ac8566cfe7d8ab06d06
SHA256:	5f03f3d41fd30591f947ae888b70b2eec33a5b91331ec1cb6976538766f61fff
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Creates an undocumented autostart registry key

Machine Learning detection for sample

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

SiemensServer.exe (PID: 5744 cmdline: "C:\Users\user\Desktop\SiemensServer.exe" MD5: 029364D616C12C1A6CE3F141B3FC5E49)

rundll32.exe (PID: 1132 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

SiemensServer.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\SiemensServer.exe" MD5: 029364D616C12C1A6CE3F141B3FC5E49)

SiemensServer.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\SiemensServer.exe" MD5: 029364D616C12C1A6CE3F141B3FC5E49)

SiemensServer.exe (PID: 3584 cmdline: "C:\Users\user\Desktop\SiemensServer.exe" MD5: 029364D616C12C1A6CE3F141B3FC5E49)

cleanup

Sigma Signatures

System Summary

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\explorer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SiemensServer.exe, ProcessId: 5744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.6% probability

Machine Learning detection for sample

Source: SiemensServer.exe

Joe Sandbox ML: detected

Source: SiemensServer.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SiemensServer.exe, 00000000.00000003.1260767550.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES

memstr_b0e7a184-7

System Summary

Binary is likely a compiled AutoIt script file

Source: SiemensServer.exe, 00000000.00000000.1192179186.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4fdaeba7-9
Source: SiemensServer.exe, 00000000.00000000.1192179186.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa0fa329-3
Source: SiemensServer.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_492b53e1-7
Source: SiemensServer.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6152c96b-9

Source: SiemensServer.exe, 00000000.00000002.1281328295.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000002.1281328295.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1277935417.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1277935417.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1269547773.000000000111C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1278540593.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1278540593.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261289911.0000000003BD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261289911.0000000003BD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1279378173.0000000001114000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261394588.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261394588.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1270022111.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1270022111.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1268704486.0000000001107000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2056850349.00000000041AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2042849589.0000000004199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053151538.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2059280821.0000000004186000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildrrorH# vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2059280821.00000000041AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2043100303.00000000041AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053620842.00000000016F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053620842.00000000016F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2043805934.000000000417F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildrrorHM vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2058606510.0000000004186000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildrrorH# vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2051593541.00000000016D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2051593541.00000000016D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2061608814.00000000015B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2205493026.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2191431057.000000000178B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2192547096.00000000018CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEu&S88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2192547096.00000000018CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_&e8> vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2193120427.0000000001797000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000002.2208926403.000000000427E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2176289338.00000000042E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuild vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2204607494.000000000427E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2177396996.000000000425C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2440331513.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2462158873.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildtr Gd vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2462158873.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildulong vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2448523880.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEEP vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2448523880.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SiemensServer.exe

Source: SiemensServer.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@5/0@0/0

Source: SiemensServer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SiemensServer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown	Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown	Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"

Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Section loaded: sspicli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SiemensServer.exe

Static file information: File size 1336832 > 1048576

Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SiemensServer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SiemensServer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SiemensServer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SiemensServer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SiemensServer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SiemensServer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SiemensServer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\SiemensServer.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SiemensServer.exe	Window / User API: threadDelayed 358	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Window / User API: threadDelayed 389	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Window / User API: threadDelayed 380	Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe	Window / User API: threadDelayed 1501	Jump to behavior

Source: C:\Users\user\Desktop\SiemensServer.exe TID: 6312

Thread sleep count: 1501 > 30

Jump to behavior

Source: C:\Users\user\Desktop\SiemensServer.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SiemensServer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SiemensServer.exe

Thread sleep count: Count: 1501 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\SiemensServer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SiemensServer.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SiemensServer.exe, 00000000.00000003.1273875229.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000000.00000002.1281998732.0000000003DD4000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000000.00000003.1275679002.0000000003DD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SiemensServer.exe, 00000014.00000002.2209608111.0000000004470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerXe
Source: SiemensServer.exe, 00000000.00000002.1280098334.0000000000DDB000.00000004.00000010.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000002.2062175379.000000000125B000.00000004.00000010.00020000.00000000.sdmp, SiemensServer.exe, 00000014.00000002.2206666486.000000000141B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ProgmanManagerCoreWindowonWindowClass.0
Source: SiemensServer.exe, 00000017.00000002.2466060664.0000000003F0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk
Source: SiemensServer.exe, 00000013.00000003.2056111065.000000000438B000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000003.2057202868.0000000004397000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000003.2058632133.0000000004393000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager3

Source: SiemensServer.exe, 00000017.00000002.2449441892.0000000001424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XPB
Source: SiemensServer.exe, 00000000.00000003.1266545910.0000000003D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81
Source: SiemensServer.exe, 00000017.00000002.2465400587.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_815{G
Source: SiemensServer.exe, 00000000.00000003.1267034380.00000000012A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP^
Source: SiemensServer.exe, 00000014.00000003.2188567036.000000000190B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: SiemensServer.exe, 00000014.00000003.2194742903.00000000043E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_8]K
Source: SiemensServer.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: SiemensServer.exe, 00000014.00000003.2194742903.00000000043E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81;
Source: SiemensServer.exe, 00000017.00000002.2465400587.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_8
Source: SiemensServer.exe, 00000013.00000003.2049754679.00000000042E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81x
Source: SiemensServer.exe, 00000013.00000003.2049754679.00000000042E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_8U

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	11 Input Capture	2 Virtualization/Sandbox Evasion	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Rundll32	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SiemensServer.exe	11%	ReversingLabs
SiemensServer.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540992
Start date and time:	2024-10-24 10:21:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SiemensServer.exe
Detection:	MAL
Classification:	mal56.winEXE@5/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SiemensServer.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8219961892880185
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SiemensServer.exe
File size:	1'336'832 bytes
MD5:	029364d616c12c1a6ce3f141b3fc5e49
SHA1:	8c2e3778aadeca8f05c06ac8566cfe7d8ab06d06
SHA256:	5f03f3d41fd30591f947ae888b70b2eec33a5b91331ec1cb6976538766f61fff
SHA512:	9b7a672fc94c68b45385e29b7e11fdf01d54ea47eabe64e6223fabcef3556b204f0166b8073818795ecac0c1aac5c34cef8c12de02a0c1e8208c4ea358862f90
SSDEEP:	24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8acQgjk6AVlozmPnZzn:KTvC/MTQYxsWR7acQgjkv
TLSH:	C555BF027381D062FF9B96334B57F6614ABC6E260923E51F13982D7ABE701B1163E763
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	4b27a4a664ca5366

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6706E04A [Wed Oct 9 19:58:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F274D1CD0C3h
jmp 00007F274D1CC9CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F274D1CCBADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F274D1CCB7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F274D1CF76Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F274D1CF7B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F274D1CF7A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x6fab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x6fab8	0x6fc00	7c0fa2add48868a1955a0dc8976960a4	False	0.7186276565995525	data	6.917207304924077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4578	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd48f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.6675531914893617
RT_ICON	0xd4d58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.47701688555347094
RT_ICON	0xd5e00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.3703319502074689
RT_ICON	0xd83a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.31695795937647614
RT_ICON	0xdc5d0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.30328096118299447
RT_ICON	0xe1a58	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.2607998738700862
RT_ICON	0xeaf00	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.1760469655743523
RT_MENU	0xfb728	0x50	data	English	Great Britain	0.9
RT_STRING	0xfb778	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xfbd0c	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xfc398	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xfc828	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xfce24	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xfd480	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xfd8e8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xfda40	0x45b06	data			1.0003363158005367
RT_GROUP_ICON	0x143548	0x68	data	English	Great Britain	0.7692307692307693
RT_GROUP_ICON	0x1435b0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1435c4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1435d8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1435ec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1436c8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	04:21:57
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\SiemensServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SiemensServer.exe"
Imagebase:	0x60000
File size:	1'336'832 bytes
MD5 hash:	029364D616C12C1A6CE3F141B3FC5E49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:23:07
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff7b7e30000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:23:14
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\SiemensServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SiemensServer.exe"
Imagebase:	0x60000
File size:	1'336'832 bytes
MD5 hash:	029364D616C12C1A6CE3F141B3FC5E49
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:23:27
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\SiemensServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SiemensServer.exe"
Imagebase:	0x60000
File size:	1'336'832 bytes
MD5 hash:	029364D616C12C1A6CE3F141B3FC5E49
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:23:35
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\SiemensServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SiemensServer.exe"
Imagebase:	0x60000
File size:	1'336'832 bytes
MD5 hash:	029364D616C12C1A6CE3F141B3FC5E49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SiemensServer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SiemensServer.exePID: 5744, Parent PID: 4552

General

Chronological Activities

Analysis Process: rundll32.exePID: 1132, Parent PID: 804

General

Chronological Activities

Analysis Process: SiemensServer.exePID: 1740, Parent PID: 4552

Windows Analysis Report
SiemensServer.exe