Windows Analysis Report
sample-20240612.exe

Overview

General Information

Sample name:	sample-20240612.exe
Analysis ID:	1542813
MD5:	8045fd77ad5d947604c3641666dda302
SHA1:	54d9d532e3947738aac4e46be674286ed3d96546
SHA256:	98299848d4551b3491b8932596e194bb8f59eaf30438992109d48c1a391a49f4
Tags:	exeuser-verso1
Infos:

Detection

Metasploit

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Copy From or To System Directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sample-20240612.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

Avira: detection malicious, Label: TR/AD.Swrort.onkld

Found malware configuration

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Shell Bind TCP", "Listen Port": 20}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: sample-20240612.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample-20240612.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402450 CryptStringToBinaryA,CryptStringToBinaryA,766B3C50,		0_2_00402450
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00401280 _fwprintf,CryptBinaryToStringA,		0_2_00401280

Uses 32bit PE files

Source: sample-20240612.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: S(]H7p#}ho:P4p__.str4ng3l.ov replaycode: Name error (3)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

Source: global traffic

DNS traffic detected: DNS query: S(]H7p#}ho:P4p__.str4ng3l.ov

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown

Uses 32bit PE files

Source: sample-20240612.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23

Source: classification engine

Classification label: mal93.troj.evad.winEXE@15/2@3/0

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\Pictures\pressica.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Users\user\Pictures\pressica.exe	Mutant created: \Sessions\1\BaseNamedObjects\toxotidae
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Users\user\Desktop\sample-20240612.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sample-20240612.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\sample-20240612.exe "C:\Users\user\Desktop\sample-20240612.exe"
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown	Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown	Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe	Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe	Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,

0_2_00401EA0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_0040D754 push cs; ret		0_2_0040D755
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402DE6 push ecx; ret		0_2_00402DF9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\Pictures\pressica.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\sample-20240612.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: sample-20240612.exe, 00000000.00000002.1773478268.0000000000542000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: pressica.exe, 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sample-20240612.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\sample-20240612.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00402B8C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,

0_2_00401EA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401CF0 GetProcessHeap,RtlAllocateHeap,733A33D0,CreateProcessA,

0_2_00401CF0

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402FD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00402FD2
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402CEE SetUnhandledExceptionFilter,	0_2_00402CEE
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00402B8C

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\sample-20240612.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 730000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 3230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 6E0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401C60 SetThreadContext,SetThreadContext,VirtualAllocEx,WriteProcessMemory,

0_2_00401C60

Writes to foreign memory regions

Source: C:\Users\user\Desktop\sample-20240612.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 730000	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 3230000	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 6E0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402E1E cpuid

0_2_00402E1E

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402A7B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00402A7B

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
S(]H7p#}ho:P4p__.str4ng3l.ov	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sample-20240612.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

Avira: detection malicious, Label: TR/AD.Swrort.onkld

Found malware configuration

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Shell Bind TCP", "Listen Port": 20}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: sample-20240612.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Pictures\pressica.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample-20240612.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402450 CryptStringToBinaryA,CryptStringToBinaryA,766B3C50,		0_2_00402450
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00401280 _fwprintf,CryptBinaryToStringA,		0_2_00401280

Uses 32bit PE files

Source: sample-20240612.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: S(]H7p#}ho:P4p__.str4ng3l.ov replaycode: Name error (3)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

Source: global traffic

DNS traffic detected: DNS query: S(]H7p#}ho:P4p__.str4ng3l.ov

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,

0_2_00401580

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown

Uses 32bit PE files

Source: sample-20240612.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23

Source: classification engine

Classification label: mal93.troj.evad.winEXE@15/2@3/0

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\Pictures\pressica.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Users\user\Pictures\pressica.exe	Mutant created: \Sessions\1\BaseNamedObjects\toxotidae
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Users\user\Desktop\sample-20240612.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sample-20240612.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\sample-20240612.exe "C:\Users\user\Desktop\sample-20240612.exe"
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown	Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown	Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe	Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe	Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,

0_2_00401EA0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_0040D754 push cs; ret		0_2_0040D755
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402DE6 push ecx; ret		0_2_00402DF9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\Pictures\pressica.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager	Jump to behavior

Source: C:\Users\user\Desktop\sample-20240612.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\sample-20240612.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: sample-20240612.exe, 00000000.00000002.1773478268.0000000000542000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: pressica.exe, 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sample-20240612.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\sample-20240612.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00402B8C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,

0_2_00401EA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401CF0 GetProcessHeap,RtlAllocateHeap,733A33D0,CreateProcessA,

0_2_00401CF0

Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402FD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00402FD2
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402CEE SetUnhandledExceptionFilter,	0_2_00402CEE
Source: C:\Users\user\Desktop\sample-20240612.exe	Code function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00402B8C

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\sample-20240612.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 730000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 3230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 6E0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00401C60 SetThreadContext,SetThreadContext,VirtualAllocEx,WriteProcessMemory,

0_2_00401C60

Writes to foreign memory regions

Source: C:\Users\user\Desktop\sample-20240612.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 730000	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 3230000	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Memory written: C:\Windows\SysWOW64\mspaint.exe base: 6E0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402E1E cpuid

0_2_00402E1E

Source: C:\Users\user\Desktop\sample-20240612.exe

Code function: 0_2_00402A7B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00402A7B

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1542813
Product:	CloudBasic
Start time:	13:58:08
Start date:	26.10.2024
Sample:	sample-20240612.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8045fd77ad5d947604c3641666dda302
SHA1:	54d9d532e3947738aac4e46be674286ed3d96546
SHA256:	98299848d4551b3491b8932596e194bb8f59eaf30438992109d48c1a391a49f4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Pictures\pressica.exe	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed	8045FD77AD5D947604C3641666DDA302	54D9D532E3947738AAC4E46BE674286ED3D96546	98299848D4551B3491B8932596E194BB8F59EAF30438992109D48C1A391A49F4
C:\Users\user\Pictures\pressica.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
sample-20240612.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report sample-20240612.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
sample-20240612.exe