Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sample-20240612.exe

Overview

General Information

Sample name:sample-20240612.exe
Analysis ID:1542813
MD5:8045fd77ad5d947604c3641666dda302
SHA1:54d9d532e3947738aac4e46be674286ed3d96546
SHA256:98299848d4551b3491b8932596e194bb8f59eaf30438992109d48c1a391a49f4
Tags:exeuser-verso1
Infos:

Detection

Metasploit
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sample-20240612.exe (PID: 6744 cmdline: "C:\Users\user\Desktop\sample-20240612.exe" MD5: 8045FD77AD5D947604C3641666DDA302)
    • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xcopy.exe (PID: 7156 cmdline: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*" MD5: 7E9B7CE496D09F70C072930940F9F02C)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 7132 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • pressica.exe (PID: 3732 cmdline: "C:\Users\user\Pictures\pressica.exe" MD5: 8045FD77AD5D947604C3641666DDA302)
    • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 6020 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • pressica.exe (PID: 3736 cmdline: "C:\Users\user\Pictures\pressica.exe" MD5: 8045FD77AD5D947604C3641666DDA302)
    • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 4420 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Shell Bind TCP", "Listen Port": 20}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
    • 0x15d0e:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
    0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x6:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
      00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 7 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Pictures\pressica.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sample-20240612.exe, ProcessId: 6744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\VirtualBox Guest Additions Manager
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*", CommandLine: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Users\user\Desktop\sample-20240612.exe", ParentImage: C:\Users\user\Desktop\sample-20240612.exe, ParentProcessId: 6744, ParentProcessName: sample-20240612.exe, ProcessCommandLine: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*", ProcessId: 7156, ProcessName: xcopy.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: sample-20240612.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\Pictures\pressica.exeAvira: detection malicious, Label: TR/AD.Swrort.onkld
        Found malware configuration
        Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Shell Bind TCP", "Listen Port": 20}
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Pictures\pressica.exeReversingLabs: Detection: 55%
        Multi AV Scanner detection for submitted file
        Source: sample-20240612.exeReversingLabs: Detection: 55%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\Pictures\pressica.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: sample-20240612.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402450 CryptStringToBinaryA,CryptStringToBinaryA,766B3C50,0_2_00402450
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401280 _fwprintf,CryptBinaryToStringA,0_2_00401280
        Source: sample-20240612.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownDNS traffic detected: query: S(]H7p#}ho:P4p__.str4ng3l.ov replaycode: Name error (3)
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,0_2_00401580
        Source: global trafficDNS traffic detected: DNS query: S(]H7p#}ho:P4p__.str4ng3l.ov
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,0_2_00401580
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_fwprintf,socket,htons,inet_addr,htons,GetCurrentProcessId,htons,sendto,recvfrom,0_2_00401580

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: sample-20240612.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: classification engineClassification label: mal93.troj.evad.winEXE@15/2@3/0
        Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\Pictures\pressica.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
        Source: C:\Users\user\Pictures\pressica.exeMutant created: \Sessions\1\BaseNamedObjects\toxotidae
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
        Source: C:\Users\user\Desktop\sample-20240612.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: sample-20240612.exeReversingLabs: Detection: 55%
        Source: unknownProcess created: C:\Users\user\Desktop\sample-20240612.exe "C:\Users\user\Desktop\sample-20240612.exe"
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"
        Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: unknownProcess created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: unknownProcess created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeAutomated click: OK
        Source: C:\Users\user\Pictures\pressica.exeAutomated click: OK
        Source: C:\Users\user\Pictures\pressica.exeAutomated click: OK
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,0_2_00401EA0
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_0040D754 push cs; ret 0_2_0040D755
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402DE6 push ecx; ret 0_2_00402DF9
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\Pictures\pressica.exeJump to dropped file
        Source: C:\Users\user\Desktop\sample-20240612.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after checking mutex)
        Source: C:\Users\user\Desktop\sample-20240612.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-790
        Source: sample-20240612.exe, 00000000.00000002.1773478268.0000000000542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
        Source: pressica.exe, 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\sample-20240612.exeAPI call chain: ExitProcess graph end nodegraph_0-738
        Source: C:\Users\user\Desktop\sample-20240612.exeAPI call chain: ExitProcess graph end nodegraph_0-763
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00402B8C
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,RegSetValueExA,0_2_00401EA0
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401CF0 GetProcessHeap,RtlAllocateHeap,733A33D0,CreateProcessA,0_2_00401CF0
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402FD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402FD2
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402CEE SetUnhandledExceptionFilter,0_2_00402CEE
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402B8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00402B8C

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\sample-20240612.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 730000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 3230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processes
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00401C60 SetThreadContext,SetThreadContext,VirtualAllocEx,WriteProcessMemory,0_2_00401C60
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\sample-20240612.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 730000Jump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 3230000Jump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402E1E cpuid 0_2_00402E1E
        Source: C:\Users\user\Desktop\sample-20240612.exeCode function: 0_2_00402A7B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00402A7B

        Remote Access Functionality

        barindex
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Native API        		1
        Registry Run Keys / Startup Folder        		311
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services2
        Clipboard Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		311
        Process Injection        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Software Packing        		NTDS12
        System Information Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542813 Sample: sample-20240612.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 93 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 4 other signatures 2->48 7 sample-20240612.exe 1 2 2->7         started        11 pressica.exe 1 2->11         started        13 pressica.exe 1 2->13         started        process3 dnsIp4 36 S(]H7p#}ho:P4p__.str4ng3l.ov 7->36 50 Found evasive API chain (may stop execution after checking mutex) 7->50 52 Contains functionality to inject code into remote processes 7->52 54 Writes to foreign memory regions 7->54 15 xcopy.exe 3 7->15         started        18 conhost.exe 7->18         started        20 mspaint.exe 7->20         started        38 S(]H7p#}ho:P4p__.str4ng3l.ov 11->38 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 conhost.exe 11->22         started        24 mspaint.exe 11->24         started        40 S(]H7p#}ho:P4p__.str4ng3l.ov 13->40 62 Allocates memory in foreign processes 13->62 26 conhost.exe 13->26         started        28 mspaint.exe 13->28         started        signatures5 process6 file7 32 C:\Users\user\Pictures\pressica.exe, PE32 15->32 dropped 34 C:\Users\...\pressica.exe:Zone.Identifier, ASCII 15->34 dropped 30 conhost.exe 15->30         started        process8

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sample-20240612.exe55%ReversingLabsWin32.Trojan.TrickBotCrypt
        sample-20240612.exe100%AviraTR/AD.Swrort.onkld
        sample-20240612.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Pictures\pressica.exe100%AviraTR/AD.Swrort.onkld
        C:\Users\user\Pictures\pressica.exe100%Joe Sandbox ML
        C:\Users\user\Pictures\pressica.exe55%ReversingLabsWin32.Trojan.TrickBotCrypt

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        S(]H7p#}ho:P4p__.str4ng3l.ov
        		unknown
        		unknowntrue
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1542813
          Start date and time:2024-10-26 13:58:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 24s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:sample-20240612.exe
          Detection:MAL
          Classification:mal93.troj.evad.winEXE@15/2@3/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 12
          • Number of non-executed functions: 6
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: sample-20240612.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          12:59:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager C:\Users\user\Pictures\pressica.exe
          12:59:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager C:\Users\user\Pictures\pressica.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Pictures\pressica.exe

          Download File
          Process:C:\Windows\SysWOW64\xcopy.exe
          File Type:PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
          Category:dropped
          Size (bytes):11264
          Entropy (8bit):7.2239260255600035
          Encrypted:false
          SSDEEP:192:9SEqLn60yDanuxsSObs9O+q/kJCYpbFLUCIApgGVdbPURsinTyhvUyS9leOd:4Ey60yDuSOYWYDUCIApgGV5cRsiwYlLd
          MD5:8045FD77AD5D947604C3641666DDA302
          SHA1:54D9D532E3947738AAC4E46BE674286ED3D96546
          SHA-256:98299848D4551B3491B8932596E194BB8F59EAF30438992109D48C1A391A49F4
          SHA-512:D93D19835E48650CE6F25F0452E81C52EB80EECFCBB15FAC1E64B6636C2BC0D7B2AF864CC395DC26C5CFCACE815A7B3FC513C8402B6D6FDD447DA33325571FC4
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 55%
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L.....hf................. ........................@.................................................................................................................................................D...............................................UPX0....................................UPX1..... ....... ..................@....rsrc................$..............@......................................................................................................................................................................................................................................................................................................................................................................................3.96.UPX!....

          C:\Users\user\Pictures\pressica.exe:Zone.Identifier

          Download File
          Process:C:\Windows\SysWOW64\xcopy.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview:[ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
          Entropy (8bit):7.2239260255600035
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.66%
          • UPX compressed Win32 Executable (30571/9) 0.30%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:sample-20240612.exe
          File size:11'264 bytes
          MD5:8045fd77ad5d947604c3641666dda302
          SHA1:54d9d532e3947738aac4e46be674286ed3d96546
          SHA256:98299848d4551b3491b8932596e194bb8f59eaf30438992109d48c1a391a49f4
          SHA512:d93d19835e48650ce6f25f0452e81c52eb80eecfcbb15fac1e64b6636c2bc0d7b2af864cc395dc26c5cfcace815a7b3fc513c8402b6d6fdd447da33325571fc4
          SSDEEP:192:9SEqLn60yDanuxsSObs9O+q/kJCYpbFLUCIApgGVdbPURsinTyhvUyS9leOd:4Ey60yDuSOYWYDUCIApgGV5cRsiwYlLd
          TLSH:9A329007EA1F67E5C75617B327B34108918A2FF55BB4CABA418486FF305722B872805E
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L..

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x40ddb0
          Entrypoint Section:UPX1
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x6668BAA6 [Tue Jun 11 20:59:18 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:2bce9ea6a57e8da4d5415c3d01fa99e2

          Entrypoint Preview

          Instruction
          pushad
          mov esi, 0040C000h
          lea edi, dword ptr [esi-0000B000h]
          push edi
          jmp 00007EFF6CD2B72Dh
          nop
          mov al, byte ptr [esi]
          inc esi
          mov byte ptr [edi], al
          inc edi
          add ebx, ebx
          jne 00007EFF6CD2B729h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007EFF6CD2B70Fh
          mov eax, 00000001h
          add ebx, ebx
          jne 00007EFF6CD2B729h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          add ebx, ebx
          jnc 00007EFF6CD2B711h
          jne 00007EFF6CD2B72Bh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007EFF6CD2B706h
          xor ecx, ecx
          sub eax, 03h
          jc 00007EFF6CD2B72Fh
          shl eax, 08h
          mov al, byte ptr [esi]
          inc esi
          xor eax, FFFFFFFFh
          je 00007EFF6CD2B796h
          mov ebp, eax
          add ebx, ebx
          jne 00007EFF6CD2B729h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jne 00007EFF6CD2B729h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          jne 00007EFF6CD2B742h
          inc ecx
          add ebx, ebx
          jne 00007EFF6CD2B729h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jnc 00007EFF6CD2B711h
          jne 00007EFF6CD2B72Bh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007EFF6CD2B706h
          add ecx, 02h
          cmp ebp, FFFFF300h
          adc ecx, 01h
          lea edx, dword ptr [edi+ebp]
          cmp ebp, FFFFFFFCh
          jbe 00007EFF6CD2B731h
          mov al, byte ptr [edx]
          inc edx
          mov byte ptr [edi], al
          inc edi
          dec ecx
          jne 00007EFF6CD2B719h
          jmp 00007EFF6CD2B688h
          nop
          mov eax, dword ptr [edx]
          add edx, 04h
          mov dword ptr [edi], eax
          add edi, 04h
          sub ecx, 04h
          jnbe 00007EFF6CD2B713h
          add edi, ecx
          jmp 00007EFF6CD3B671h

          Rich Headers

          Programming Language:
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xe3940x400.rsrc
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x394.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xdf440xa0UPX1
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          UPX00x10000xb0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          UPX10xc0000x20000x2000ed01a057bea23943c78d3c56fb23a288False0.9637451171875data7.789411077387524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xe0000x10000x8007fba29b25585a3b08ddd006eafed4a51False0.4443359375data4.93682790855367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_MANIFEST0xe05c0x336XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (762), with CRLF line terminatorsEnglishUnited States0.5048661800486618

          Imports

          DLLImport
          ADVAPI32.dllRegCloseKey
          api-ms-win-crt-convert-l1-1-0.dllwcstombs
          api-ms-win-crt-heap-l1-1-0.dllfree
          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
          api-ms-win-crt-runtime-l1-1-0.dllexit
          api-ms-win-crt-stdio-l1-1-0.dll_set_fmode
          api-ms-win-crt-string-l1-1-0.dllstrcpy
          CRYPT32.dllCryptStringToBinaryA
          IPHLPAPI.DLLGetAdaptersAddresses
          KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
          SHELL32.dllShellExecuteA
          USER32.dllMessageBoxA
          VCRUNTIME140.dllmemcpy
          WS2_32.dllinet_addr

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 26, 2024 13:59:10.684449911 CEST5668753192.168.2.48.8.4.4
          Oct 26, 2024 13:59:10.692280054 CEST53566878.8.4.4192.168.2.4
          Oct 26, 2024 13:59:21.758821011 CEST5668853192.168.2.48.8.4.4
          Oct 26, 2024 13:59:21.767443895 CEST53566888.8.4.4192.168.2.4
          Oct 26, 2024 13:59:30.140166998 CEST5109053192.168.2.48.8.4.4
          Oct 26, 2024 13:59:30.147994995 CEST53510908.8.4.4192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 26, 2024 13:59:10.684449911 CEST192.168.2.48.8.4.40x1a58Standard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false
          Oct 26, 2024 13:59:21.758821011 CEST192.168.2.48.8.4.40xe94Standard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false
          Oct 26, 2024 13:59:30.140166998 CEST192.168.2.48.8.4.40xe98Standard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 26, 2024 13:59:10.692280054 CEST8.8.4.4192.168.2.40x1a58Name error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false
          Oct 26, 2024 13:59:21.767443895 CEST8.8.4.4192.168.2.40xe94Name error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false
          Oct 26, 2024 13:59:30.147994995 CEST8.8.4.4192.168.2.40xe98Name error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:07:59:05
          Start date:26/10/2024
          Path:C:\Users\user\Desktop\sample-20240612.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\sample-20240612.exe"
          Imagebase:0x400000
          File size:11'264 bytes
          MD5 hash:8045FD77AD5D947604C3641666DDA302
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1773478268.000000000052B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:07:59:05
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:07:59:10
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\xcopy.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"
          Imagebase:0xff0000
          File size:43'520 bytes
          MD5 hash:7E9B7CE496D09F70C072930940F9F02C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:3
          Start time:07:59:10
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:07:59:10
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000004.00000002.2981002514.0000000000730000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          General

          Target ID:5
          Start time:07:59:18
          Start date:26/10/2024
          Path:C:\Users\user\Pictures\pressica.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Pictures\pressica.exe"
          Imagebase:0x400000
          File size:11'264 bytes
          MD5 hash:8045FD77AD5D947604C3641666DDA302
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000005.00000002.1884397923.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 55%, ReversingLabs
          Reputation:low
          Has exited:true

          General

          Target ID:6
          Start time:07:59:18
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:7
          Start time:07:59:21
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000007.00000002.2980996164.0000000003230000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          General

          Target ID:11
          Start time:07:59:26
          Start date:26/10/2024
          Path:C:\Users\user\Pictures\pressica.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Pictures\pressica.exe"
          Imagebase:0x400000
          File size:11'264 bytes
          MD5 hash:8045FD77AD5D947604C3641666DDA302
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 0000000B.00000002.1968225509.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:12
          Start time:07:59:26
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:13
          Start time:07:59:29
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 0000000D.00000002.2980998413.00000000006E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:47.8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:24.2%
            Total number of Nodes:178
            Total number of Limit Nodes:3
            execution_graph 731 40ddb0 732 40ddc0 731->732 733 40deba LoadLibraryA 732->733 734 40deff VirtualProtect VirtualProtect 732->734 735 40ded1 733->735 736 40df33 734->736 735->732 737 40dee3 GetProcAddress 735->737 736->736 737->735 738 40def9 ExitProcess 737->738 882 402660 885 402cee SetUnhandledExceptionFilter 882->885 884 402665 pre_c_initialization 885->884 886 402420 889 402250 886->889 888 402433 890 4022b4 GetProcessHeap RtlAllocateHeap 889->890 891 4022d0 766C4380 890->891 892 4022d8 GetAdaptersAddresses 890->892 891->892 893 4022f8 GetProcessHeap HeapFree 892->893 898 402314 892->898 895 402316 893->895 894 4023c9 766CC830 896 4023dd GetProcessHeap HeapFree 894->896 895->890 895->898 897 402405 _fwprintf 896->897 897->888 898->894 899 40237a inet_ntop 766CC830 898->899 899->896 739 402672 740 40267e ___scrt_is_nonwritable_in_current_image 739->740 756 402874 740->756 742 402685 743 4027de 742->743 750 4026af ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 742->750 778 402b8c IsProcessorFeaturePresent 743->778 745 4027e5 766C4380 746 4027eb 745->746 782 402ac8 746->782 749 4026ce 750->749 760 401df0 750->760 752 40276c 776 402cab GetModuleHandleW 752->776 755 40277a ___scrt_uninitialize_crt 755->749 757 40287d 756->757 786 402e1e IsProcessorFeaturePresent 757->786 759 402889 pre_c_initialization 759->742 788 401860 760->788 763 401e5a ExitProcess 764 401e0b WaitForSingleObject 793 4018d0 RegOpenKeyExA 764->793 768 401e35 GetModuleHandleA GetProcAddress 769 401e58 768->769 803 402010 GetModuleFileNameA 769->803 775 401e81 CloseHandle 775->752 777 402776 776->777 777->745 777->755 779 402ba1 ___scrt_fastfail 778->779 780 402c4c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 779->780 781 402c97 ___scrt_fastfail 780->781 781->745 783 402ade 782->783 785 4027f9 __scrt_common_main_seh 783->785 881 402a7b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 783->881 787 402e44 786->787 787->759 789 402450 3 API calls 788->789 790 40187c GetModuleHandleA GetProcAddress CreateMutexA GetLastError 789->790 791 4018b4 ExitProcess 790->791 792 4018bc 790->792 792->763 792->764 794 4018f5 RegQueryValueExA 793->794 795 40193b MessageBoxA 793->795 796 401929 794->796 797 40191d 794->797 798 401954 795->798 796->795 797->796 799 40192d RegCloseKey 797->799 800 402450 798->800 799->798 801 40245f 800->801 802 402472 CryptStringToBinaryA CryptStringToBinaryA 766B3C50 801->802 802->768 804 40203e 803->804 811 401e77 804->811 834 402130 804->834 808 4020cb _fwprintf 809 4020ed ShellExecuteA SetFileAttributesA 808->809 837 401ea0 809->837 812 401cf0 GetProcessHeap RtlAllocateHeap 733A33D0 811->812 813 401d33 812->813 814 401d93 CreateProcessA 813->814 847 401c60 814->847 817 401580 818 40158d 817->818 873 401000 WSAStartup 818->873 821 40159e OpenClipboard 822 4015aa GetClipboardData CloseClipboard 821->822 823 4015bb 821->823 822->823 877 401280 823->877 825 4015f0 _fwprintf 825->825 826 40160f socket htons inet_addr htons 825->826 827 4030f3 826->827 828 401671 GetCurrentProcessId htons 827->828 829 4016c3 828->829 830 401706 sendto 829->830 831 401723 830->831 831->831 832 401736 recvfrom 831->832 833 401599 832->833 833->775 843 402150 834->843 838 402450 3 API calls 837->838 839 401ec7 LoadLibraryA GetProcAddress RegCreateKeyExA GetProcAddress 838->839 840 402450 3 API calls 839->840 841 401fd9 840->841 842 401fe5 RegSetValueExA 841->842 842->811 844 4030f3 843->844 845 40219e VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 844->845 846 40204f SHGetKnownFolderPath 766C6F80 845->846 846->808 851 401960 847->851 849 401c6b VirtualAllocEx WriteProcessMemory 850 401cbf 849->850 850->817 852 401972 851->852 853 4019a6 852->853 854 402450 3 API calls 852->854 855 402450 3 API calls 853->855 854->852 856 4019c5 GetModuleHandleA GetProcAddress 855->856 857 402450 3 API calls 856->857 858 401a11 GetModuleHandleA GetProcAddress 857->858 859 402450 3 API calls 858->859 860 401a5d GetModuleHandleA GetProcAddress 859->860 861 402450 3 API calls 860->861 862 401aa9 GetModuleHandleA GetProcAddress 861->862 863 402450 3 API calls 862->863 864 401af5 GetModuleHandleA GetProcAddress 863->864 865 402450 3 API calls 864->865 866 401b41 GetModuleHandleA GetProcAddress 865->866 867 402450 3 API calls 866->867 868 401b8d GetModuleHandleA GetProcAddress 867->868 869 402450 3 API calls 868->869 870 401bd9 GetModuleHandleA GetProcAddress 869->870 871 402450 3 API calls 870->871 872 401c25 GetModuleHandleA GetProcAddress 871->872 872->849 874 40102c 873->874 876 401028 873->876 875 401058 WSACleanup 874->875 874->876 875->876 876->821 876->833 878 40128d _fwprintf 877->878 879 4012f5 CryptBinaryToStringA 878->879 880 401306 879->880 880->825 881->785 941 402ffa IsProcessorFeaturePresent 942 40300e 941->942 945 402fd2 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 942->945 944 4030f1 945->944 900 40192b 901 40193b MessageBoxA 900->901 902 401954 901->902 903 4025ad 904 4025b5 pre_c_initialization 903->904 905 4025ba 766C5420 904->905 906 4025c5 pre_c_initialization 905->906 920 4028ad 906->920 908 402b8c ___scrt_fastfail 4 API calls 909 402657 ___scrt_initialize_default_local_stdio_options 908->909 910 4025d5 pre_c_initialization __RTC_Initialize 918 402638 pre_c_initialization 910->918 926 402b20 RtlInitializeSListHead 910->926 912 402604 pre_c_initialization 913 40260d 76742870 912->913 914 402618 pre_c_initialization 912->914 913->914 927 402b2f 914->927 916 402627 pre_c_initialization 917 40262c 766C4B50 916->917 917->918 918->908 919 40264f 918->919 921 4028c0 920->921 922 4028bc 920->922 923 402b8c ___scrt_fastfail 4 API calls 921->923 925 4028cd ___scrt_release_startup_lock 921->925 922->910 924 402951 923->924 925->910 926->912 928 402b40 927->928 929 402b47 928->929 930 402b8c ___scrt_fastfail 4 API calls 928->930 929->916 931 402b4f 930->931 932 4027ad 933 402cab GetModuleHandleW 932->933 935 4027b5 933->935 934 4027b9 935->934 936 402ac8 ___security_init_cookie 4 API calls 935->936 937 4027f9 __scrt_common_main_seh 936->937 938 4023ae 939 4023dd GetProcessHeap HeapFree 938->939 940 402405 _fwprintf 939->940

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_00402FC1 1 Function_00402842 90 Function_00402FB5 1->90 2 Function_00402D43 3 Function_00402AC8 42 Function_00402A7B 3->42 4 Function_0040D049 5 Function_004029CA 6 Function_004018D0 7 Function_00402450 12 Function_004024D0 7->12 8 Function_00402150 9 Function_00402250 67 Function_00401820 9->67 10 Function_0040D950 11 Function_00402B50 13 Function_004043D0 14 Function_00402B51 15 Function_00402952 44 Function_004027FE 15->44 70 Function_00402DA0 15->70 16 Function_00402FD2 17 Function_0040D754 18 Function_00402B57 18->14 57 Function_00401790 18->57 19 Function_0040C759 20 Function_00401C60 22 Function_00401960 20->22 21 Function_00401860 21->7 22->7 23 Function_00402660 30 Function_00402CEE 23->30 58 Function_00402B13 23->58 24 Function_00402A66 75 Function_00402A2B 24->75 25 Function_004029E6 25->90 26 Function_0040D6E6 27 Function_00402DE6 28 Function_0040D0E8 29 Function_004043EB 31 Function_00402D6F 32 Function_00401CF0 32->20 33 Function_00401DF0 33->6 33->7 33->21 33->32 46 Function_00401580 33->46 55 Function_00402010 33->55 34 Function_00401070 35 Function_004014F0 35->67 36 Function_00402672 36->1 36->3 36->15 36->25 36->33 37 Function_00402874 36->37 51 Function_00402B80 36->51 52 Function_00402A03 36->52 53 Function_00402B86 36->53 54 Function_00402B8C 36->54 36->70 78 Function_00402CAB 36->78 64 Function_00402E1E 37->64 79 Function_00402B2C 37->79 38 Function_00402B74 39 Function_0040D277 40 Function_00402CFA 41 Function_00402FFA 41->16 43 Function_00402DFB 45 Function_0040CFFF 46->34 47 Function_00401000 46->47 49 Function_00402580 46->49 50 Function_00401280 46->50 46->67 48 Function_00401800 71 Function_004017A0 48->71 50->35 50->49 50->67 87 Function_00401330 50->87 52->79 92 Function_00402D3B 54->92 65 Function_00401EA0 55->65 55->67 88 Function_00402230 55->88 89 Function_00402130 55->89 56 Function_0040D010 59 Function_0040D314 60 Function_0040DA95 61 Function_00402B16 62 Function_00402799 63 Function_00402B1A 65->7 66 Function_00402420 66->9 67->48 68 Function_00401120 69 Function_00402B20 71->57 72 Function_004043A0 73 Function_0040D729 74 Function_00404429 76 Function_0040D52B 77 Function_0040192B 80 Function_00404C2D 81 Function_004028AD 81->54 81->90 82 Function_004025AD 82->2 82->11 82->18 82->24 82->38 82->54 82->58 82->61 82->63 82->69 82->79 82->81 85 Function_00402B2F 82->85 83 Function_004027AD 83->3 83->78 84 Function_004023AE 84->67 85->54 86 Function_0040DDB0 89->8 91 Function_004029B7 93 Function_0040443E

            Executed Functions

            Function 00401580 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 160networkclipboardCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00401000: WSAStartup.WS2_32(?,?), ref: 0040101E
            • OpenClipboard.USER32(00000000), ref: 004015A0
            • GetClipboardData.USER32(00000001), ref: 004015AC
            • CloseClipboard.USER32 ref: 004015B5
            • _fwprintf.LIBCONCRTD ref: 00401603
            • socket.WS2_32(00000002,00000002,00000011), ref: 00401623
            • htons.WS2_32(00000035), ref: 00401637
            • inet_addr.WS2_32(8.8.4.4), ref: 00401646
            • htons.WS2_32(00000001), ref: 0040165A
            • GetCurrentProcessId.KERNEL32 ref: 00401674
            • htons.WS2_32(00000000), ref: 0040167B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: Clipboardhtons$CloseCurrentDataOpenProcessStartup_fwprintfinet_addrsocket
            • String ID: %s.str4ng3l.ov$8.8.4.4$none-found
            • API String ID: 2933935763-3607574045
            • Opcode ID: eb56a7ec2e373c3d97ff8ae132adfaf26211d7365408f8d15ea60574dd93959f
            • Instruction ID: 1c81fc003f21d9003d6b0755760c0b5893c700c3e49a6ba2a16b9424b610dee6
            • Opcode Fuzzy Hash: eb56a7ec2e373c3d97ff8ae132adfaf26211d7365408f8d15ea60574dd93959f
            • Instruction Fuzzy Hash: 145150B5D00205ABCB00DBE0DC46BEEB774BF98304F10857AF605BB3D1E6B85A448B59
            Function 00401EA0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 104libraryregistryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: 766B3C50.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00401F7E
            • GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 00401F8F
            • RegCreateKeyExA.KERNELBASE(80000001,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00401FB5
            • GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 00401FC0
            • RegSetValueExA.KERNELBASE(?,VirtualBox Guest Additions Manager,00000000,00000001,00404598,00000000), ref: 00401FFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: AddressBinaryCryptProcString$CreateLibraryLoadValue
            • String ID: ==gcldWYuFWTgMnbvlGdpRGZBBCdzVWdHBCevJEbhVHdylmV$RegCreateKeyExA$RegSetValueExA$Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce$U2Yu$VirtualBox Guest Additions Manager$advapi32.dll$E@
            • API String ID: 2615327233-2795570621
            • Opcode ID: 8a7f5cb782defaf38c33c433ebfbaa240f438dd25e7dc5da04f53e923f325b97
            • Instruction ID: 200ae719776af242690ab4aa0805dff1e03ad15c39d9fc42218c0088994233b2
            • Opcode Fuzzy Hash: 8a7f5cb782defaf38c33c433ebfbaa240f438dd25e7dc5da04f53e923f325b97
            • Instruction Fuzzy Hash: 2351D060D483C8E9EB12C7A8D849BDDBFB55F16708F184098E6843A2C2C6FE5558C77A
            Function 00401CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77memoryprocessCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00401CFD
            • RtlAllocateHeap.NTDLL(00000000), ref: 00401D04
            • 733A33D0.VCRUNTIME140(?,004042F8,0000014A), ref: 00401D22
            • CreateProcessA.KERNELBASE(00000000,mspaint.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00401DC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: HeapProcess$AllocateCreate
            • String ID: mspaint.exe
            • API String ID: 3754836791-4111900996
            • Opcode ID: 7f0d24b6ed000782dd19411b5a1524e3348bc89ebe63c12fa413385846a4e432
            • Instruction ID: 796acfbc54956ddbaa5ab302f9b6bc5e8c0facad5ae133ab4fbef51741e684b8
            • Opcode Fuzzy Hash: 7f0d24b6ed000782dd19411b5a1524e3348bc89ebe63c12fa413385846a4e432
            • Instruction Fuzzy Hash: F73141B0E40308EFDB04DFA4CD46BADBBB5AF84704F2040A9E605BB2C1D6B95A41CB59
            Function 00401C60 Relevance: 3.1, APIs: 2, Instructions: 54memoryinjectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 158 401c60-401cbd call 401960 VirtualAllocEx WriteProcessMemory 161 401cc8 158->161 162 401cbf-401cc6 158->162 164 401cec-401cef 161->164 162->161 163 401cca-401ce8 162->163 163->164
            APIs
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 004019DC
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 004019E3
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 00401A28
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 00401A2F
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 00401A74
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 00401A7B
            • VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040), ref: 00401C9D
            • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00401CB8
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: AddressHandleModuleProc$AllocMemoryProcessVirtualWrite
            • String ID:
            • API String ID: 2210121904-0
            • Opcode ID: 51e4183b2145bcb5d91174e005a31e457aa2573a06920961aa21320a3e465d99
            • Instruction ID: 09b69f5ba5c78ad979e0241707377fcd12f5f09ae4e0cf85786f600d02c5112e
            • Opcode Fuzzy Hash: 51e4183b2145bcb5d91174e005a31e457aa2573a06920961aa21320a3e465d99
            • Instruction Fuzzy Hash: 4A115BB5600208BBEB04DF94C855FAE77B9EB88700F048169FA08AB3D0D674DA00CB99
            Function 00402010 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 84COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402027
            • SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 00402092
            • 766C6F80.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000104,?,00000000,00000000,?), ref: 004020AA
            • _fwprintf.LIBCONCRTD ref: 004020C6
            • _fwprintf.LIBCONCRTD ref: 004020E8
            • ShellExecuteA.SHELL32(00000000,open,xcopy,?,00000000,00000006), ref: 00402107
            • SetFileAttributesA.KERNELBASE(?,00000007), ref: 00402116
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: File_fwprintf$AttributesExecuteFolderKnownModuleNamePathShell
            • String ID: %s\pressica.exe$/f /y "%s" "%s*"$dF@$open$pressica$xcopy
            • API String ID: 3188491911-197669631
            • Opcode ID: 1757b982fa089392bf5f118aa6db93af42186ebb5022e7ccb81df2fcd7739adb
            • Instruction ID: 0b0c04f054531d5838bd78e44578d8c1b27464883403b62d052641579363b7ff
            • Opcode Fuzzy Hash: 1757b982fa089392bf5f118aa6db93af42186ebb5022e7ccb81df2fcd7739adb
            • Instruction Fuzzy Hash: AD3166F1D00208ABDB10DB90DD45FEE7778AB48704F1085AAF708B61D1E7B9AB45CB99
            Function 00401DF0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48libraryloadersynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00401860: GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401888
              • Part of subcall function 00401860: GetProcAddress.KERNEL32(00000000), ref: 0040188F
              • Part of subcall function 00401860: CreateMutexA.KERNELBASE(00000000,00000000,00406000), ref: 004018A1
              • Part of subcall function 00401860: GetLastError.KERNEL32 ref: 004018A7
              • Part of subcall function 00401860: ExitProcess.KERNEL32 ref: 004018B6
            • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 00401E11
              • Part of subcall function 004018D0: RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Notepad,00000000,00020019,?), ref: 004018EB
              • Part of subcall function 004018D0: RegQueryValueExA.KERNELBASE(?,SymbolicKuriza,00000000,?,?,00000004), ref: 00401913
              • Part of subcall function 004018D0: MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: 766B3C50.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401E41
            • GetProcAddress.KERNEL32(00000000), ref: 00401E48
            • ExitProcess.KERNEL32 ref: 00401E5C
            • CloseHandle.KERNELBASE(000000FF), ref: 00401E85
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: Handle$AddressBinaryCryptExitModuleProcProcessString$CloseCreateErrorLastMessageMutexObjectOpenQuerySingleValueWait
            • String ID: 4VGd11UZzFWZsVmU$kernel32.dll$pE@
            • API String ID: 2613027318-3841684420
            • Opcode ID: fc2790c8cca93ee3f0aa94e1f9630981776b881151abace160e9d655bb5bd8ef
            • Instruction ID: be50e093aebf102d3a884409ee660d86585cca1e1a1aa734280ce22902ef2981
            • Opcode Fuzzy Hash: fc2790c8cca93ee3f0aa94e1f9630981776b881151abace160e9d655bb5bd8ef
            • Instruction Fuzzy Hash: BF115EB1C00208EBCB00EFF4DE09AAE77B8AB44315F104679FB15B61E1D7B846448B99
            Function 00401860 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 32libraryloadersynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: 766B3C50.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401888
            • GetProcAddress.KERNEL32(00000000), ref: 0040188F
            • CreateMutexA.KERNELBASE(00000000,00000000,00406000), ref: 004018A1
            • GetLastError.KERNEL32 ref: 004018A7
            • ExitProcess.KERNEL32 ref: 004018B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: BinaryCryptString$AddressCreateErrorExitHandleLastModuleMutexProcProcess
            • String ID: BhXZ0VXTlRXYlJ3Q$PB@$kernel32.dll
            • API String ID: 3688400154-396476814
            • Opcode ID: c07ef5bd6689a8a528c9e70477044eb04c9e2e7b3c5f446b37cddfae9adb379a
            • Instruction ID: 669e2303d3973f65e162ef5743e714aa6bc30ec1011120787717f9b88450d532
            • Opcode Fuzzy Hash: c07ef5bd6689a8a528c9e70477044eb04c9e2e7b3c5f446b37cddfae9adb379a
            • Instruction Fuzzy Hash: 3BF030B5D40308ABDB00FBE0AE49B5D7B78EB84701F108069FF45F62C1E7B456048B59
            Function 004018D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45registrywindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 90 4018d0-4018f3 RegOpenKeyExA 91 4018f5-40191b RegQueryValueExA 90->91 92 40193b-40194f MessageBoxA 90->92 93 401929 91->93 94 40191d-401921 91->94 95 401954-401957 92->95 93->92 94->93 96 401923-401927 94->96 96->93 97 40192d-401939 RegCloseKey 96->97 97->95
            APIs
            • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Notepad,00000000,00020019,?), ref: 004018EB
            • RegQueryValueExA.KERNELBASE(?,SymbolicKuriza,00000000,?,?,00000004), ref: 00401913
            • RegCloseKey.ADVAPI32(?), ref: 00401931
            • MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: CloseMessageOpenQueryValue
            • String ID: A PLANETARY CRASH OCCURRED$Software\Microsoft\Notepad$SymbolicKuriza
            • API String ID: 3230402025-460206704
            • Opcode ID: 4405efb58e1f226a1f28677c1173a715a00bef615cf651f634922d8d7907816e
            • Instruction ID: d98d3d3d05217db93c2a751f322fe3da004ff4d1560c8446da0a25170dde1759
            • Opcode Fuzzy Hash: 4405efb58e1f226a1f28677c1173a715a00bef615cf651f634922d8d7907816e
            • Instruction Fuzzy Hash: D1014FF5B40208BBEB10DBD09D55FAE77B8AB44B08F1045BAFB02B61D0D2B85A44DB59
            Function 0040DDB0 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 107 40ddb0-40ddbd 108 40ddca-40ddcf 107->108 109 40ddd1 108->109 110 40ddc0-40ddc5 109->110 111 40ddd3 109->111 112 40ddc6-40ddc8 110->112 113 40ddd8-40ddda 111->113 112->108 112->109 114 40dde3-40dde7 113->114 115 40dddc-40dde1 113->115 114->113 116 40dde9 114->116 115->114 117 40ddf4-40ddf9 116->117 118 40ddeb-40ddf2 116->118 119 40de08-40de0a 117->119 120 40ddfb-40de04 117->120 118->113 118->117 123 40de13-40de17 119->123 124 40de0c-40de11 119->124 121 40de06 120->121 122 40de7a-40de7d 120->122 121->119 125 40de82-40de85 122->125 126 40de20-40de22 123->126 127 40de19-40de1e 123->127 124->123 128 40de87-40de89 125->128 129 40de44-40de53 126->129 130 40de24 126->130 127->126 128->125 133 40de8b-40de8e 128->133 131 40de64-40de71 129->131 132 40de55-40de5c 129->132 134 40de25-40de27 130->134 131->131 136 40de73-40de75 131->136 132->132 135 40de5e 132->135 133->125 137 40de90-40deac 133->137 138 40de30-40de34 134->138 139 40de29-40de2e 134->139 135->112 136->112 137->128 141 40deae 137->141 138->134 140 40de36 138->140 139->138 142 40de41 140->142 143 40de38-40de3f 140->143 144 40deb4-40deb8 141->144 142->129 143->134 143->142 145 40deba-40ded0 LoadLibraryA 144->145 146 40deff-40df2f VirtualProtect * 2 144->146 147 40ded1-40ded6 145->147 148 40df33-40df37 146->148 147->144 149 40ded8-40deda 147->149 148->148 150 40df39 148->150 151 40dee3-40def0 GetProcAddress 149->151 152 40dedc-40dee2 149->152 153 40def2-40def7 151->153 154 40def9 ExitProcess 151->154 152->151 153->147
            Memory Dump Source
            • Source File: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b6c6dd3a79ac3a5a9b2a4f5e455ae486dc50654db57d6988c3b7b2b056485c20
            • Instruction ID: a816e8a1f0845dce0eaaba9ecb04c21988eaba45b1b4114ca25883204c05cd01
            • Opcode Fuzzy Hash: b6c6dd3a79ac3a5a9b2a4f5e455ae486dc50654db57d6988c3b7b2b056485c20
            • Instruction Fuzzy Hash: 4751E871E54A524BD7205EF8CC806B17794EB62325B18073AD9E1EB3C5E7B85C0E87A8
            Function 0040192B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 155 40192b 156 40193b-40194f MessageBoxA 155->156 157 401954-401957 156->157
            APIs
            • MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
            Strings
            • A PLANETARY CRASH OCCURRED, xrefs: 0040193D
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: Message
            • String ID: A PLANETARY CRASH OCCURRED
            • API String ID: 2030045667-2055004300
            • Opcode ID: af7cc8ee93d73c50879489ada7bfb7d18cc0382d562da4ac0826856e0066e744
            • Instruction ID: c2efebe2c81e7fa1e788115d848d9b68e55f17e073cf02b02e4ca2a00a4aa88f
            • Opcode Fuzzy Hash: af7cc8ee93d73c50879489ada7bfb7d18cc0382d562da4ac0826856e0066e744
            • Instruction Fuzzy Hash: B0C092B03C82087BE1101A81AC17B6076508784F46F2005FFBF0AB92E295FF2870519E
            Function 00401000 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 165 401000-401026 WSAStartup 166 401028-40102a 165->166 167 40102c-40103e 165->167 168 401064-401067 166->168 169 401040-401056 167->169 170 401058-401060 WSACleanup 167->170 169->170 171 401062 169->171 170->168 171->168
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: CleanupStartup
            • String ID:
            • API String ID: 915672949-0
            • Opcode ID: 8a12681aa40c1235f46164687111d45405783a7ff23716213953e9d1018d8997
            • Instruction ID: d6d0ac8f56efb8b1936121e8681ee368fe6fefc78c9a698b733bc57127530eb9
            • Opcode Fuzzy Hash: 8a12681aa40c1235f46164687111d45405783a7ff23716213953e9d1018d8997
            • Instruction Fuzzy Hash: DFF0E2744042A8E2DB209B658D166FA73A99F41701F0080B6E689BAAD1D53D49CAF738
            Function 004027AD Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 172 4027ad 173 4027b0 call 402cab 172->173 174 4027b5-4027b7 173->174 175 4027b9-4027bd 174->175 176 4027eb-4027f9 call 403153 call 402ac8 __scrt_common_main_seh 174->176 177 4027c4-4027dd 175->177 178 4027bf call 403171 175->178 178->177
            APIs
              • Part of subcall function 00402CAB: GetModuleHandleW.KERNEL32(00000000,00402776), ref: 00402CAD
            • ___security_init_cookie.LIBCMT ref: 004027F4
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: HandleModule___security_init_cookie
            • String ID:
            • API String ID: 1525027140-0
            • Opcode ID: 55dc3918c2a887689a201ebd6e2b229a29201b86f6acc27a85624d951db77426
            • Instruction ID: 9652acbc9c2ec9e4c0407afc84b6a2401bb25916cc1edbbb0ed09a45455ca3fe
            • Opcode Fuzzy Hash: 55dc3918c2a887689a201ebd6e2b229a29201b86f6acc27a85624d951db77426
            • Instruction Fuzzy Hash: DBE0DF36A042098FDF20AB94DA0A7EDBB71BB4432CF20057BE911332D1C77D08008A69

            Non-executed Functions

            Function 00401280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON
            Download Yara Rule
            APIs
            • _fwprintf.LIBCONCRTD ref: 00401296
              • Part of subcall function 00401820: _fread.LIBCMTD ref: 0040183A
            • CryptBinaryToStringA.CRYPT32(?,00000000,00002000), ref: 00401300
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: BinaryCryptString_fread_fwprintf
            • String ID: 12345
            • API String ID: 1841223416-3421846044
            • Opcode ID: 48ae50794edba505917c658fa9e8973ec0995a3dd87b5b287c2cce179089f69d
            • Instruction ID: fe676a3341625b72832572ae7441fe0738a427ecb38ca2ba08709ecd35e1c63b
            • Opcode Fuzzy Hash: 48ae50794edba505917c658fa9e8973ec0995a3dd87b5b287c2cce179089f69d
            • Instruction Fuzzy Hash: 041173BAD00108B7DB15DB91DC52DDF737C9B98304F0086BAF605B6191FA78AB048BA5
            Function 00402450 Relevance: 4.5, APIs: 3, Instructions: 46encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
            • CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
            • 766B3C50.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: BinaryCryptString
            • String ID:
            • API String ID: 80407269-0
            • Opcode ID: c9de511b8970b722d39bb4fb153f7bf62d743a3a7ad644a1447610fdae834917
            • Instruction ID: e5c2183285be56b41c4785deced1c7c39a64db2bbe833c67ee48bc07c55a1278
            • Opcode Fuzzy Hash: c9de511b8970b722d39bb4fb153f7bf62d743a3a7ad644a1447610fdae834917
            • Instruction Fuzzy Hash: 9C0125B5A50308BBEB10DF94DD46F9E7779AB44700F104564FB04AB2C0D671AA54C7A5
            Function 00402CEE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_00002CFA,00402665), ref: 00402CF3
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 4624fdc9bf38d70b079e48dd4a0717aae957004d099a57db058a4038ee2f2183
            • Instruction ID: 7b3a7fbd28eeb06f38601b15cc9528321e579126e4b0af8758f223b2c6d07d70
            • Opcode Fuzzy Hash: 4624fdc9bf38d70b079e48dd4a0717aae957004d099a57db058a4038ee2f2183
            • Instruction Fuzzy Hash:
            Function 00401960 Relevance: 27.2, APIs: 18, Instructions: 245libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleHandleA.KERNEL32(?,?), ref: 004019DC
            • GetProcAddress.KERNEL32(00000000), ref: 004019E3
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401A28
            • GetProcAddress.KERNEL32(00000000), ref: 00401A2F
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401A74
            • GetProcAddress.KERNEL32(00000000), ref: 00401A7B
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401AC0
            • GetProcAddress.KERNEL32(00000000), ref: 00401AC7
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: 766B3C50.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401B0C
            • GetProcAddress.KERNEL32(00000000), ref: 00401B13
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401B58
            • GetProcAddress.KERNEL32(00000000), ref: 00401B5F
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401BA4
            • GetProcAddress.KERNEL32(00000000), ref: 00401BAB
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401BF0
            • GetProcAddress.KERNEL32(00000000), ref: 00401BF7
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401C3C
            • GetProcAddress.KERNEL32(00000000), ref: 00401C43
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: AddressHandleModuleProc$BinaryCryptString
            • String ID:
            • API String ID: 799473262-0
            • Opcode ID: f9e9ce23ecb477a9bd318799b4bdaffa6956efc943755a2bb846985e15b82871
            • Instruction ID: 4550be7fb57ab333a49d72e2806c53260d2aaa3ffafb7322355188c24874c5b9
            • Opcode Fuzzy Hash: f9e9ce23ecb477a9bd318799b4bdaffa6956efc943755a2bb846985e15b82871
            • Instruction Fuzzy Hash: BDA1ECB5D00208EFDB04DFA8D999B9DBBB9EF88304F108568E605F7291E774AA05CB54
            Function 00402250 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 272 402250-4022ad 273 4022b4-4022ce GetProcessHeap RtlAllocateHeap 272->273 274 4022d0-4022d2 766C4380 273->274 275 4022d8-4022f6 GetAdaptersAddresses 273->275 274->275 276 402314 275->276 277 4022f8-402323 GetProcessHeap HeapFree 275->277 279 40232b-40232f 276->279 277->279 282 402325-402329 277->282 280 402335-402338 279->280 281 4023c9-4023da 766CC830 279->281 283 40233b-40233f 280->283 284 4023dd-402414 GetProcessHeap HeapFree call 401820 281->284 282->273 282->279 283->281 285 402345-402352 283->285 287 402354-40235b 285->287 288 4023bb-4023c4 285->288 290 402366-40236a 287->290 288->283 290->288 291 40236c-402378 290->291 292 4023b0-4023b9 291->292 293 40237a-4023ac inet_ntop 766CC830 291->293 292->290 293->284
            APIs
            • GetProcessHeap.KERNEL32(00000000,00003A98), ref: 004022BA
            • RtlAllocateHeap.NTDLL(00000000), ref: 004022C1
            • 766C4380.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 004022D2
            • GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,00003A98), ref: 004022EA
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004022FE
            • HeapFree.KERNEL32(00000000), ref: 00402305
            • inet_ntop.WS2_32(00000002,?,?,00000064), ref: 00402397
            • 766CC830.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 004023A4
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004023E3
            • HeapFree.KERNEL32(00000000), ref: 004023EA
            • _fwprintf.LIBCONCRTD ref: 00402400
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: Heap$Process$Free$AdaptersAddressesAllocateC4380C830_fwprintfinet_ntop
            • String ID: 0.0.0.0$d$o
            • API String ID: 1088226997-2822489677
            • Opcode ID: 76410c49e516318949d708376e42d06478d44f16ed5c20773a29492f0188022a
            • Instruction ID: c3e7275d39989bb3dc813cb4a503f84ba46128ba8244ca674528b176bfbf346c
            • Opcode Fuzzy Hash: 76410c49e516318949d708376e42d06478d44f16ed5c20773a29492f0188022a
            • Instruction Fuzzy Hash: 4851F7B1D00209EBDB04DFE4D949BEEBBB4FB44304F108569E6057B280D7B95A85CFA5
            Function 00402150 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 004021C2
            • VerSetConditionMask.NTDLL(00000000), ref: 004021CA
            • VerSetConditionMask.NTDLL(00000000), ref: 004021D2
            • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000,?), ref: 0040220B
            Memory Dump Source
            • Source File: 00000000.00000002.1773355149.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1773343242.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773355149.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773393130.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1773405000.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612.jbxd
            Similarity
            • API ID: ConditionMask$InfoVerifyVersion
            • String ID:
            • API String ID: 2793162063-0
            • Opcode ID: 69253ae718b90deda0e76316189793a22e8b5579226ca5095490ee7f94383c5d
            • Instruction ID: e5c2bfe32ea68744dc9bbdcd428afb0c47dd67ce15f24e361d93a7a02ca45b0a
            • Opcode Fuzzy Hash: 69253ae718b90deda0e76316189793a22e8b5579226ca5095490ee7f94383c5d
            • Instruction Fuzzy Hash: F021E2B4D44318ABEB14DFA1DD19BEEB7B8AF48701F108099F644B72C0D7B44B548B59