Edit tour

Windows Analysis Report
173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Overview

General Information

Sample name:	173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe
Analysis ID:	1543225
MD5:	6973d6be4ecb4fa2cec58b35b0dde577
SHA1:	ad03ef6a442070f7c0bdf63d4cd788cac3ae9936
SHA256:	5131eee2232ca51f902577bae64a8afe58d107af2e2fa9a38c020ddc34157e16
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe (PID: 3660 cmdline: "C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe" MD5: 6973D6BE4ECB4FA2CEC58B35B0DDE577)

WerFault.exe (PID: 5540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["necklacedmny.store", "fadehairucw.store", "navygenerayk.store", "crisiwarny.store", "withdrwblon.cyou", "scriptyprefej.store", "presticitpo.store", "founpiuer.store", "thumbystriw.store"], "Build id": "HpOoIh--@dxrkl0rd"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "fadehairucw.store", "navygenerayk.store", "crisiwarny.store", "withdrwblon.cyou", "scriptyprefej.store", "presticitpo.store", "founpiuer.store", "thumbystriw.store"], "Build id": "HpOoIh--@dxrkl0rd"}

Multi AV Scanner detection for submitted file

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: scriptyprefej.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: navygenerayk.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: founpiuer.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: necklacedmny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: thumbystriw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: fadehairucw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: crisiwarny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: presticitpo.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: withdrwblon.cyou
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: Workgroup: -
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	String decryptor: HpOoIh--@dxrkl0rd

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: withdrwblon.cyou
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: thumbystriw.store

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_004072DD	0_2_004072DD
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_00407306	0_2_00407306
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_0040C90C	0_2_0040C90C
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_00407315	0_2_00407315
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_0040B189	0_2_0040B189
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_0040D3A7	0_2_0040D3A7

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3ed81f5-90b4-44ac-b8a7-c496a9e02f5b

Jump to behavior

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe "C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe"
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_004114E4 push ebx; retf		0_2_004114E5
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret		0_2_0040152A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: scriptyprefej.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: navygenerayk.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: founpiuer.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: necklacedmny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: thumbystriw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: fadehairucw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: crisiwarny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: presticitpo.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: withdrwblon.cyou

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	21%	ReversingLabs
173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Malicious	Reputation
presticitpo.store	true	unknown
founpiuer.store	true	unknown
scriptyprefej.store	true	unknown
thumbystriw.store	true	unknown
withdrwblon.cyou	true	unknown
necklacedmny.store	true	unknown
fadehairucw.store	true	unknown
crisiwarny.store	true	unknown
navygenerayk.store	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543225
Start date and time:	2024-10-27 13:38:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, PID 3660 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
08:39:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_173003262828c2e4_7c25c6182121a481a7bacbc9ebd31c438dd8_65cfd6e1_a97a180d-ded0-48f6-b2ff-3ea975f7661a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7135998725640438
Encrypted:	false
SSDEEP:	96:jMgFOjkIgACCCQBYsYAhI1yDf0QXIDcQzc6CmcE1cw3CCC4CB+HbHg6ZAX/d5FM5:ogg/BYA0NXfvjEzuiFaZ24IO8m
MD5:	2EDD8765E3A63F234B2135AA2DB9632B
SHA1:	D046DF69B23F6E89DA191F3D04B93721429DCA6C
SHA-256:	E7D1B79814BDD5427D74F04123C5576823399F4A73659BBA79B6398A826CE7E7
SHA-512:	7E5DF6FAA451B0D571FD8C9B399E5849DA1611F18609C007229A7C2239C7CCEE9EE1F835E307888A65649E3121BE3515B4513D7A04C7DF6643074EF8007CF83E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.0.6.3.8.4.1.0.8.9.4.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.0.6.3.8.4.4.2.1.4.4.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.7.a.1.8.0.d.-.d.e.d.0.-.4.8.f.6.-.b.2.f.f.-.3.e.a.9.7.5.f.7.6.6.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.b.7.8.0.e.c.-.d.6.c.6.-.4.5.9.2.-.9.7.0.6.-.1.6.8.a.e.0.4.0.5.4.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.7.3.0.0.3.2.6.2.8.2.8.c.2.e.4.4.6.4.9.3.e.5.b.3.9.9.a.9.a.d.3.2.e.1.6.8.6.a.d.7.e.d.a.9.9.8.9.a.2.a.d.6.f.1.4.1.6.8.b.6.1.b.1.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.4.c.-.0.0.0.1.-.0.0.1.4.-.d.c.8.7.-.6.d.4.c.6.d.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.5.9.7.e.4.0.7.4.c.2.0.a.a.b.e.8.7.6.8.1.c.b.8.7.2.b.c.a.5.c.4.0.0.0.0.f.f.f.f.!.0.0.0.0.a.d.0.3.e.f.6.a.4.4.2.0.7.0.f.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A6B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 12:39:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	19618
Entropy (8bit):	2.051348546769705
Encrypted:	false
SSDEEP:	96:5E8KmVwBky6skCai7nTEfYphWI/WItoIZTvhi:19OIUTZi
MD5:	41322A486AA4F522B3765A2C1D977E1F
SHA1:	3E77543010DF45AFACE9DB7618773B5CB858C1B6
SHA-256:	82F08B21B5225F372FDC0F9771665A528CDAF24D96AE993E90EAC8802ED64DB0
SHA-512:	C43824011821B28BE46B68FE3DC2A760E2F3A144FF0308A56FBFBFC1FB9833FC14E2ED20BD9E0127665A66F66EE1B8544476ECF670AB58D7D5D9EA8C1BCEAC58
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........4.g............4...............<.......d...<...........T.......8...........T...........H...ZC......................................................................................................eJ......L.......GenuineIntel............T.......L....4.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AAA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	3.7009364639013054
Encrypted:	false
SSDEEP:	192:R6l7wVeJWI6A7I6YS1SUVgmfzuJPWOnpx789bHT4sf0CQ1Lm:R6lXJx6Ak6YwSUVgmfSJPWOEHTrfWi
MD5:	506702BAD970F75730901ACA88F3F304
SHA1:	C7FBE1B8160CEA00379217BC5AE2A5CAFBBAB7D2
SHA-256:	5B4A6D7C2C066E9BE6BEB2376EB6EB9C80838645DA7A84986374A2EA74D1D1BD
SHA-512:	63B4462D67BFD11E847CF92494275484E5D68B781EF8F4C0A70C40D173057097A2D4660BA2562B587E7287D81809731363669EA3F9DED0BDDBD2911E8EEB15C6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AF9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4893
Entropy (8bit):	4.55047317912906
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRiJg77aI9HA7XWpW8VYeRYm8M4JHdvHFZKFC7+q8AFEFnLzBzrd:uIjfOI7mq7VHQJNziXRrd
MD5:	EA98F6311AC1200066B3621D164245C2
SHA1:	542759E917BFE333DA8C03F94A55D668A8AE848A
SHA-256:	D45EFB5EDE20BA296C8CDE8C455EFA3827561738A66DAC2CC393A899FE820894
SHA-512:	8DBC3EAFE547AEB5B39CF2B250B53AACE5C3471F3AF435BB8D6C75987D81A4EFC7FD881637B3AC0D2AC50179FFD2CAFE4DDAD196AFAEFCD4889CA156DDD86B2D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="561822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372572821719218
Encrypted:	false
SSDEEP:	6144:BFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:nV1QyWWI/glMM6kF7Dq
MD5:	BC31926E7BAB77B5AB7DE39EA1F82084
SHA1:	0F357BC390D0F468191ACAD01369DE956717495B
SHA-256:	0903A77D441299C592808590BE271970C102685B1C75FE060D3968A8A53DBB3D
SHA-512:	D1B00882FB27742DC66DFD62EC4E6FBFCA067862401DEAED128DFD49FF40E8FAF2B70AF7DF53D77E07BA017229A14D543D7C017FEDD5EFA81C3EB39F5EBBDEE2
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.E.Lm(...............................................................................................................................................................................................................................................................................................................................................7.x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.814498886283681
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe
File size:	354'052 bytes
MD5:	6973d6be4ecb4fa2cec58b35b0dde577
SHA1:	ad03ef6a442070f7c0bdf63d4cd788cac3ae9936
SHA256:	5131eee2232ca51f902577bae64a8afe58d107af2e2fa9a38c020ddc34157e16
SHA512:	ddbb9af460b8f7fbacb1f40195c41c0d7682db5661952bc2e6b3b516a26892773751f4daf5096513530b05132a069a75541b069e097be87b9b97cd424b377a28
SSDEEP:	6144:05gt/WJxHSd56E+a5VTWaRVeCK6V/Hyw1sKsuH1AliCTPYyXNKzTxEq:054/oyd56E+yTx46V/HQKsdi5yXNK3Oq
TLSH:	19748D07EA6350D1D8C7897422CF737BAE3A621057684EC7DA4CEED038B36F16836956
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J........................@.......................................@.................................R......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cf90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
loop 00007FA1AC8DE9E3h
shr cl, FFFFFF8Bh
add al, byte ptr [eax]
add byte ptr [ebx-3EEBDBB4h], cl
loope 00007FA1AC8DE9B7h
mov esi, dword ptr [esp+10h]
mov dword ptr [esp+14h], ecx
lea eax, dword ptr [esi+ecx]
add eax, 00008F12h
push 00000120h
push 00000000h
push eax
call 00007FA1AC8DEE0Fh
add esp, 0Ch
mov eax, dword ptr [esp+1Ch]
add eax, esi
add eax, 00008852h
push 00000240h
push 00000000h
push eax
call 00007FA1AC8DEDF4h
add esp, 0Ch
test ebx, ebx
add al, ah
dec esi
mov bh, 8Eh
in al, 00h
add byte ptr [eax], al
add ebp, FFFFFFFEh
mov eax, 00000001h
mov ecx, dword ptr [esp+14h]
add ecx, dword ptr [esp+10h]
mov dword ptr [esp+14h], ecx
mov dword ptr [esp+0Ch], ebp
jmp 00007FA1AC8DE9D1h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
mov esi, dword ptr [esp+04h]
mov dword ptr [esp+04h], esi
lea ecx, dword ptr [eax+01h]
cmp eax, ebx
mov eax, ecx
add al, ah
dec esi
mov bh, 84h
stosd
add byte ptr [eax], al
add byte ptr [ebx-7ACF7BB4h], cl
leave
jle 00007FA1AC8DE995h
mov edx, ecx
and edx, 03h
je 00007FA1AC8DE9FEh
mov esi, dword ptr [esp+04h]
lea edi, dword ptr [00000000h+esi*4]
add edi, ebp
xor esi, esi
mov ebp, dword ptr [esp+14h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
movzx edx, word ptr [eax]
loopne 00007FA1AC8DEA00h
mov bh, 88h
test byte ptr [ebx], ch
adc cl, byte ptr [edi+00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48052	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x4a84	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x481a0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44901	0x44a00	f716ae96b9fe377cd3bc507c192a8d7e	False	0.5444451559653917	data	6.661889453528604	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x46000	0x253d	0x2600	75aa12666fc3cd0dae60f7e8d72fa046	False	0.633532072368421	data	6.750447756020646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x49000	0xf3b8	0x6000	d77f6af5a7600d44a1bfce7e3d1a35ed	False	0.5148518880208334	data	6.83228662420711	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x59000	0x4a84	0x4c00	6630588525d92f9ce30eba177cd7cad7	False	0.5369037828947368	data	6.33711288563591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 13:40:22.783900023 CET	53	55608	162.159.36.2	192.168.2.8
Oct 27, 2024 13:40:23.417256117 CET	53	51265	1.1.1.1	192.168.2.8

Analysis Process: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exePID: 3660, Parent PID: 4084

General

Target ID:	0
Start time:	08:39:43
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe"
Imagebase:	0x400000
File size:	354'052 bytes
MD5 hash:	6973D6BE4ECB4FA2CEC58B35B0DDE577
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:39:43
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224
Imagebase:	0x4c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exePID: 3660, Parent PID: 4084COMMON

Non-executed Functions

Function 0040D3A7 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992da56a12b929749f5b34514ef4403dc7cd1c8e496927517b658f2e5690325d
Instruction ID: 33d1fa796b1d896eb3f1c7a1f020b0e48ef70a42adf84ec873fa5626091bade2
Opcode Fuzzy Hash: 992da56a12b929749f5b34514ef4403dc7cd1c8e496927517b658f2e5690325d
Instruction Fuzzy Hash: 49611CB3E443244BC728CEA4DC9129AF392EBD4660F0FD62DEC45E7700E57DAD464A89

Function 0040C90C Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa8fd6e708e242520525c30bfcadfa422ce028f315f66dc66fbe8ec01c725ec
Instruction ID: ddd1b86d349be93cd26abd39a089ad28cebcfcecbc2669ff4f6db5009d02065c
Opcode Fuzzy Hash: cfa8fd6e708e242520525c30bfcadfa422ce028f315f66dc66fbe8ec01c725ec
Instruction Fuzzy Hash: E271A270609341CFC722DF18D88539ABBE1EFD6304F198A6EC9C597286D338A552CB96

Function 0040B189 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c31fb140ed6bf20187175e22f0a7b43266736225535e38520ef6b94780b61b6
Instruction ID: 96f5fc08c655095b160617391283794c17b460828c94bb8a9a883e3b036af509
Opcode Fuzzy Hash: 8c31fb140ed6bf20187175e22f0a7b43266736225535e38520ef6b94780b61b6
Instruction Fuzzy Hash: F9613C7110C380CFC315CB58884065BBFE0AFAA704F540D6EE5C5A7792C675EA09CBAB

Function 004072DD Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2756ed4631783ae0cc829404af07eadf753561bb50897bdfdf90c7d9c5c52181
Instruction ID: 29538516de44edcf7582a9e2b727cf2f55695f5a19e8fd380397c09a88aa26e7
Opcode Fuzzy Hash: 2756ed4631783ae0cc829404af07eadf753561bb50897bdfdf90c7d9c5c52181
Instruction Fuzzy Hash: A521C637B1C7614BE3518F35DCC45477792EB87214B1A017ADE81D7382C636F802E296

Function 00407315 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df886b0847863313051c2667727db0ab781dfdfa4379abec52b675b3adf67df5
Instruction ID: 973ffdcea0d592f631ef01c1131d7206f6ae1fd1f2d280df51a51869193aa499
Opcode Fuzzy Hash: df886b0847863313051c2667727db0ab781dfdfa4379abec52b675b3adf67df5
Instruction Fuzzy Hash: 5401BC3BB285314BF3519F79ECC814A6353FB8B21530E0231EA82D7342C632F412E28A

Function 00407306 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f28a8a5de9b0aa23fd99f53cd2d8b87933a2631140e4c19104637d173a8c570
Instruction ID: 6c04391225370861c0d4043648be8474e9e55333c0dae57bd26468f16cf2eb63
Opcode Fuzzy Hash: 1f28a8a5de9b0aa23fd99f53cd2d8b87933a2631140e4c19104637d173a8c570
Instruction Fuzzy Hash: 59F0E22BB2867147F7919F66ECC410A6303E78B21570E0135EF81D7382C676F512E25A

Function 00402879 Relevance: 8.8, Strings: 7, Instructions: 48COMMON

Download Yara Rule

Strings

0000, xrefs: 004028FF
0000, xrefs: 0040293A
0000, xrefs: 00402925
0000, xrefs: 0040292C
0000, xrefs: 00402933
0000, xrefs: 0040291E
0000, xrefs: 00402917

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID: 0000$0000$0000$0000$0000$0000$0000
API String ID: 0-3735745554
Opcode ID: 97be3ee8353ebcccb5fd9c356fa5382d5f9c485eb5905a2df973ccc4d463490a
Instruction ID: e5378a02405b101bcdf5dbed652373363ec6d2d21f896ddc0aa595c3e7dd57fb
Opcode Fuzzy Hash: 97be3ee8353ebcccb5fd9c356fa5382d5f9c485eb5905a2df973ccc4d463490a
Instruction Fuzzy Hash: 78115EBD2273804FC7089F0489E8656BF59FB56344369C6AAC4471B2E2D3B58803DB8E

Function 004028BB Relevance: 8.8, Strings: 7, Instructions: 43COMMON

Download Yara Rule

Strings

0000, xrefs: 004028FF
0000, xrefs: 0040293A
0000, xrefs: 00402925
0000, xrefs: 0040292C
0000, xrefs: 00402933
0000, xrefs: 0040291E
0000, xrefs: 00402917

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID: 0000$0000$0000$0000$0000$0000$0000
API String ID: 0-3735745554
Opcode ID: 8cc84ef14e8c139efcd8b1de24fc7b879e2537f081eb35a549e7ee1673a866ce
Instruction ID: 3c1ac74e3f97160d7814e9761efe813063702cfa5cd85854cd263fed32d1d0fc
Opcode Fuzzy Hash: 8cc84ef14e8c139efcd8b1de24fc7b879e2537f081eb35a549e7ee1673a866ce
Instruction Fuzzy Hash: 310161BD6173808FC7098F1489A8605BF69BB56244359C1AAC4474F2E2E3B5C902CF8F

Function 0040E3BF Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

a[[d, xrefs: 0040E46B
@DvF, xrefs: 0040E48B
_kQT, xrefs: 0040E473
Jxzv, xrefs: 0040E4A3

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID: @DvF$Jxzv$_kQT$a[[d
API String ID: 0-2174979120
Opcode ID: 2d8366e74524e5093e30f7680ddec45d2930d59e69f81c80475d04386c52cd36
Instruction ID: 1f3a0a8d3e70423f2bf4a75cc8649767a6149206e9a7a498639a5e44bad7eead
Opcode Fuzzy Hash: 2d8366e74524e5093e30f7680ddec45d2930d59e69f81c80475d04386c52cd36
Instruction Fuzzy Hash: 8171E37050D3C18FD7128F69885029BBFE0AF97318F184EAED4D1AB392D778854AC756

Function 0041138E Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

yw, xrefs: 004113AF
!m%k, xrefs: 004113D0
+e(c, xrefs: 004113E6
#i4g, xrefs: 004113DB

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID: !m%k$#i4g$+e(c$yw
API String ID: 0-579512773
Opcode ID: 6e9b7c751517cdbc06bb436c88e5d05743f4077e86103d70768e6b00b4fc371b
Instruction ID: 57514c8425cd2fd664880043902cd7e69d9183ebd53fa6c61cf51f223200030c
Opcode Fuzzy Hash: 6e9b7c751517cdbc06bb436c88e5d05743f4077e86103d70768e6b00b4fc371b
Instruction Fuzzy Hash: D35178B154D3C18FE3329F2088557CABFB1AF92300F19899EC5C98B296E7794546CB53

Function 0041007E Relevance: 5.0, Strings: 4, Instructions: 26COMMON

Download Yara Rule

Strings

*u&w, xrefs: 004100A2
0e-g, xrefs: 004100BE
!q"s, xrefs: 0041009B
#iJk, xrefs: 004100A9

Memory Dump Source

Source File: 00000000.00000002.2949256159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2949236240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949294712.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949313708.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949331754.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2949352393.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56.jbxd

Similarity

API ID:
String ID: !q"s$#iJk$*u&w$0e-g
API String ID: 0-3825726463
Opcode ID: 3135c7baf312c3557c70f0376436dfd03e155d8f7ecc23642683bdfda1843212
Instruction ID: 4e1464e1ccee8a0c2a5fd956f5e32923f0b79b51bff7f4d65ef434471bc5245a
Opcode Fuzzy Hash: 3135c7baf312c3557c70f0376436dfd03e155d8f7ecc23642683bdfda1843212
Instruction Fuzzy Hash: 9001EEB0054BA09FC3368F26A591206BFF0BF52600B616E1DC5E65FB29DB70A050CF45

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_173003262828c2e4_7c25c6182121a481a7bacbc9ebd31c438dd8_65cfd6e1_a97a180d-ded0-48f6-b2ff-3ea975f7661a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A6B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AAA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AF9.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe