Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RKVaYznwyT.exe

Overview

General Information

Sample name:RKVaYznwyT.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
Analysis ID:1541502
MD5:fdb7614d7064da1a089a7f330177b2dd
SHA1:ea44186936ad92c902ff1e8d9019efd46904e53f
SHA256:7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AI detected suspicious sample
Creates a process in suspended mode (likely to inject code)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • RKVaYznwyT.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\RKVaYznwyT.exe" MD5: FDB7614D7064DA1A089A7F330177B2DD)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • HOSTNAME.EXE (PID: 6492 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Execution of Hostname
Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: "C:\Users\user\Desktop\RKVaYznwyT.exe", ParentImage: C:\Users\user\Desktop\RKVaYznwyT.exe, ParentProcessId: 6296, ParentProcessName: RKVaYznwyT.exe, ProcessCommandLine: hostname, ProcessId: 6492, ProcessName: HOSTNAME.EXE

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.3% probability
Source: RKVaYznwyT.exeStatic PE information: Number of sections : 14 > 10
Source: RKVaYznwyT.exeStatic PE information: Section: /19 ZLIB complexity 0.9985184957349081
Source: RKVaYznwyT.exeStatic PE information: Section: /46 ZLIB complexity 0.999921875
Source: RKVaYznwyT.exeStatic PE information: Section: /99 ZLIB complexity 1.0000082179172511
Source: RKVaYznwyT.exeStatic PE information: Section: /112 ZLIB complexity 0.9919689685314685
Source: classification engineClassification label: sus23.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: RKVaYznwyT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RKVaYznwyT.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RKVaYznwyT.exeString found in binary or memory: p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicInstCap
Source: RKVaYznwyT.exeString found in binary or memory: p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeogra
Source: RKVaYznwyT.exeString found in binary or memory: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitPro
Source: RKVaYznwyT.exeString found in binary or memory: gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicInstCaptureInstRuneAnyInstallPathMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySYMCLI_SID=SYSTEMROOT=SetFileTimeSignWritingSoft_DottedVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_Space[:^xdigit:]_SYMINQ.TXTalarm clockapppathrootbad addressbad messagebad timedivbroken pipecgocall nilclobberfreeclosesocketcreated by crypt32.dllfile existsfinal tokenfloat32nan2float64nan2float64nan3gatekeeper gccheckmarkgetpeernamegetsocknamei/o timeoutlost mcachemSpanManualmethodargs(mswsock.dllno root keyparse errorruntime: P runtime: p scheddetailschema1 %s
Source: unknownProcess created: C:\Users\user\Desktop\RKVaYznwyT.exe "C:\Users\user\Desktop\RKVaYznwyT.exe"
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dllJump to behavior
Source: RKVaYznwyT.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: RKVaYznwyT.exeStatic file information: File size 4375040 > 1048576
Source: RKVaYznwyT.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15fc00
Source: RKVaYznwyT.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18fe00
Source: RKVaYznwyT.exeStatic PE information: section name: /4
Source: RKVaYznwyT.exeStatic PE information: section name: /19
Source: RKVaYznwyT.exeStatic PE information: section name: /32
Source: RKVaYznwyT.exeStatic PE information: section name: /46
Source: RKVaYznwyT.exeStatic PE information: section name: /63
Source: RKVaYznwyT.exeStatic PE information: section name: /80
Source: RKVaYznwyT.exeStatic PE information: section name: /99
Source: RKVaYznwyT.exeStatic PE information: section name: /112
Source: RKVaYznwyT.exeStatic PE information: section name: /124
Source: RKVaYznwyT.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: HOSTNAME.EXE, 00000002.00000002.1710624664.000002B580939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: RKVaYznwyT.exe, 00000000.00000002.1712910823.0000000000B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RKVaYznwyT.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Software Packing		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541502 Sample: RKVaYznwyT Startdate: 24/10/2024 Architecture: WINDOWS Score: 23 12 AI detected suspicious sample 2->12 6 RKVaYznwyT.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 HOSTNAME.EXE 1 6->10         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RKVaYznwyT.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541502
Start date and time:2024-10-24 22:23:46 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:RKVaYznwyT.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
Detection:SUS
Classification:sus23.winEXE@4/0@0/0
EGA Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Execution Graph export aborted for target RKVaYznwyT.exe, PID 6296 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: RKVaYznwyT.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.549810661574742
TrID:
  • Win64 Executable (generic) (12005/4) 74.80%
  • Generic Win/DOS Executable (2004/3) 12.49%
  • DOS Executable Generic (2002/1) 12.47%
  • VXD Driver (31/22) 0.19%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:RKVaYznwyT.exe
File size:4'375'040 bytes
MD5:fdb7614d7064da1a089a7f330177b2dd
SHA1:ea44186936ad92c902ff1e8d9019efd46904e53f
SHA256:7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
SHA512:67ee063d64f41d18bcedd5cc29a4aec054607b9a567604642af521d633739005205a2c00dced95ff69459b2d3604029bdcd288cb62601279a7455187ba1a71d3
SSDEEP:49152:6kk3Coj5ZeSUdgX3PLCeYo/NhMNggRIH+u8psfnTb6voVMgRUaze5SV7vf2543:9Lo9DCgjDYmevoVMOzKY32
TLSH:8A167D12FCEE14FECABEF03449A197217A7174A543327B836F94496E1A66BD47E2D300
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........>.......#...........................@...............................E............... ............................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x45ae00
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:1cd364a9e949d5ecebd6c614e64bc545

Entrypoint Preview

Instruction
jmp 00007FF3A8823600h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
dec eax
mov eax, dword ptr [ecx]
dec eax
mov esi, dword ptr [ecx+10h]
dec eax
mov ecx, dword ptr [ecx+08h]
dec eax
mov edi, dword ptr [00000030h]
mov dword ptr [edi+68h], 00000000h
dec eax
sub esp, 00000080h
cmp ecx, 04h
jle 00007FF3A8827273h
cmp ecx, 10h
jle 00007FF3A8827264h
int 03h
dec eax
mov edi, esp
cld
dec eax
movsd
dec eax
mov esi, esp
dec eax
mov ecx, dword ptr [esi]
dec eax
mov edx, dword ptr [esi+08h]
dec esp
mov eax, dword ptr [esi+10h]
dec esp
mov ecx, dword ptr [esi+18h]
dec ax
movd mm0, ecx
dec ax
movd mm1, edx
dec cx
movd mm2, eax
dec cx
movd mm3, ecx
call eax
dec eax
add esp, 00000080h
pop ecx
dec eax
mov dword ptr [ecx+18h], eax
dec eax
mov edi, dword ptr [00000030h]
mov eax, dword ptr [edi+68h]
dec eax
mov dword ptr [ecx+28h], eax
ret
int3
int3
int3
int3
int3
dec eax
sub esp, 30h
dec eax
mov ecx, FFFFFFF4h
dec eax
mov dword ptr [esp], ecx
dec eax
mov eax, dword ptr [0029620Ah]
call eax
dec eax
mov ecx, eax
dec eax
mov dword ptr [esp], ecx
dec eax
lea edx, dword ptr [002CEE2Ah]
dec eax
mov dword ptr [esp+08h], edx
inc esp
lea eax, dword ptr [002CEA0Ah]
dec esp
mov dword ptr [esp+10h], eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x41a0000x3b4.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2f10200x108.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x15fa9b0x15fc00f896109206e2f3d600e55aa882bafa9fFalse0.41045817230810233data5.863451157051376IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1610000x18fdcd0x18fe00174f6b48feeecb970d0a28168f720b34False0.38438098331509846data5.184409142361513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2f10000x3b7280x19000a22ea40643bed0f4c13c05d97c8866ccFalse0.319677734375data4.013777148248291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x32d0000x1190x20028a3e9c96b9bb43e6541a26c8f68899bFalse0.595703125data4.8292159200679565IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x32e0000x2f86e0x2fa00d3cb1f0775d7a9692c21e29c7c5b917fFalse0.9985184957349081data7.9942238121734235IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/320x35e0000xc49c0xc60020384ce26cd9ed1f9f5ca88433a6c392False0.988577178030303data7.932407977018054IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/460x36b0000x31ce0x3200fda3f753fbff6db69dede2d69d6f2b5aFalse0.999921875data7.963882243244083IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/630x36f0000x60570x620033a52f57e7a65f1804553e3001281293False0.9855707908163265data7.964457022101287IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/800x3760000x220x200b695610b59faaff118f91fc317f4e65eFalse0.076171875MIPSEB MIPS-II ECOFF executable not stripped - version 116.1050.6138392741996215IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/990x3770000x591a30x59200e68d26b91e299b16d2ced27ef46bf5b5False1.0000082179172511data7.9972530506983714IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/1120x3d10000x358540x35a0007819bb1286da2d7d806ec2d50910e82False0.9919689685314685data7.994019503766179IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/1240x4070000x1216d0x12200e2108072a15891e1875ee81eeb1483d3False0.9723733836206897data7.8045801849914485IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x41a0000x3b40x400b10e00eaffd744555e02e2754e7533adFalse0.43359375data4.093039033713278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.symtab0x41b0000x3c7a30x3c800dadf31f242ed22cd4eb6222517ec2780False0.23810772856404958data5.353104125926414IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, LoadLibraryA, LoadLibraryW, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:24:41
Start date:24/10/2024
Path:C:\Users\user\Desktop\RKVaYznwyT.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\RKVaYznwyT.exe"
Imagebase:0x400000
File size:4'375'040 bytes
MD5 hash:FDB7614D7064DA1A089A7F330177B2DD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:16:24:41
Start date:24/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:16:24:41
Start date:24/10/2024
Path:C:\Windows\System32\HOSTNAME.EXE
Wow64 process (32bit):false
Commandline:hostname
Imagebase:0x7ff729b70000
File size:14'848 bytes
MD5 hash:33AFAA43B84BDEAB12E02F9DBD2B2EE0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Disassembly

Reset < >

    Non-executed Functions

    Function 0042C940 Relevance: 8.9, Strings: 7, Instructions: 103COMMON
    Download Yara Rule
    Strings
    • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime:, xrefs: 0042CB30
    • ,-./05:;<=>?CFLMNPSZ["\, xrefs: 0042CAC0
    • runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssymaudit_start_datetime: unknown unit too many open filesunexpected InstFailunknown wait reasonwinmm.dll not foundzip: checksum, xrefs: 0042CA99
    • 0, xrefs: 0042CA19
    • VirtualQuery for stack base failedexpected attribute name in elementflag provided but not defined: -%sforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Perl syntaxmspan.ensureSwept: m is not lockedout of memory allocati, xrefs: 0042CB61
    • bad g0 stackbad recoverycan't happencas64 failedchan receiveclosed by </context.TODOdebugCall128dumping heapend tracegcentersyscallexit status gcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushlogrus_errormadvdontneednetapi32, xrefs: 0042CB05
    • ", xrefs: 0042CB6C
    Memory Dump Source
    • Source File: 00000000.00000002.1712167208.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1712144015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712272760.0000000000561000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712388676.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712404041.00000000006F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712420613.00000000006F8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712444834.00000000006F9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712481459.0000000000702000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712514475.0000000000704000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712538136.0000000000707000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712538136.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712538136.0000000000729000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712538136.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712610075.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712610075.0000000000777000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712711277.000000000081A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1712728310.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_RKVaYznwyT.jbxd
    Similarity
    • API ID:
    • String ID: "$,-./05:;<=>?CFLMNPSZ["\$0$VirtualQuery for stack base failedexpected attribute name in elementflag provided but not defined: -%sforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Perl syntaxmspan.ensureSwept: m is not lockedout of memory allocati$bad g0 stackbad recoverycan't happencas64 failedchan receiveclosed by </context.TODOdebugCall128dumping heapend tracegcentersyscallexit status gcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushlogrus_errormadvdontneednetapi32$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssymaudit_start_datetime: unknown unit too many open filesunexpected InstFailunknown wait reasonwinmm.dll not foundzip: checksum
    • API String ID: 0-1050518859
    • Opcode ID: e0bc92494ebb8365101e1b5958bd766eb1d5899210d7acff0ad02c27258c3bdb
    • Instruction ID: ce9c4443ee57e2feaa5a4b7c4e66464f8a2cac90c852b0bcd24a234762bdaeed
    • Opcode Fuzzy Hash: e0bc92494ebb8365101e1b5958bd766eb1d5899210d7acff0ad02c27258c3bdb
    • Instruction Fuzzy Hash: E9511736609F8584DB10EB51F48535EB364F7897A8F90822AEADC03BA9DF7CC194CB44