Windows Analysis Report
U6ghPv3E7k.exe

Overview

General Information

Sample name:	U6ghPv3E7k.exe renamed because original name is a hash value
Original sample name:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44.exe
Analysis ID:	1546123
MD5:	00ba1e1d154e18d1124d87934fae9f20
SHA1:	41bfc98b2b24f4f70852f2de62c08e3c2aaf85ad
SHA256:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44
Tags:	exevacationtogotravels-netuser-JAMESWT_MHT
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Classification

Signatures

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49931

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vacationtogotravels.netConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: vacationtogotravels.net

Source: unknown

HTTP traffic detected: POST /register HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vacationtogotravels.netContent-Length: 8Connection: Keep-AliveCache-Control: no-cache

Source: U6ghPv3E7k.exe, 00000000.00000003.2203274887.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2194792115.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/register
Source: U6ghPv3E7k.exe, 00000000.00000003.2257822965.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2218327326.000002D47C24F000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254497955.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254920750.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2248276830.000002D47C2D3000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2256754273.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245514478.000002D47C290000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2257911553.000002D47C2CD000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2215564565.000002D47C24D000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2219233771.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2246626009.000002D47C2D1000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245701697.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/upload

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: classification engine

Classification label: clean3.winEXE@7/28@1/1

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4C4ABBEFBEE1C868.TMP

Jump to behavior

Source: U6ghPv3E7k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U6ghPv3E7k.exe "C:\Users\user\Desktop\U6ghPv3E7k.exe"
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: U6ghPv3E7k.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: U6ghPv3E7k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: U6ghPv3E7k.exe	Static PE information: section name: .msvcjmc
Source: U6ghPv3E7k.exe	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe TID: 3140

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.221.225.227	vacationtogotravels.net	Russian Federation		41691	SUMTEL-AS-RIPEMoscowRussiaRU	false

Contacted Domains

Name	IP	Active
vacationtogotravels.net	89.221.225.227	true

Contacted URLs

Name	Malicious	Reputation
https://vacationtogotravels.net/upload	false	unknown
https://vacationtogotravels.net/favicon.ico	false	unknown
https://vacationtogotravels.net/register	false	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	DA597791BE3B6E732F0BC8B20E38EE62	1125C45D285C360542027D7554A5C442288974DE	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92095A5E-978C-11EF-8C2C-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	9F1DA61630EC01E7FDC817584C1DBF99	9364FC560BA1598403EB0D8E84A989CDAF245EB6	A692C428B86E9141C8E062F86D9ADD935C9E633B45079DF19F29C246C7AC55F6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92095A60-978C-11EF-8C2C-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	621E21F741ABE063787760044CD6B850	8F0D2D02DB56EFD21268FD5A6F0ECB94A54B1DD6	2AD3DEF377866EC09DF1D37BEEBB735235FD9744FA1E8259F63A8AB77AEA2E93
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators	71017C977EE6F6AA87974E58A49D192F	69C1D96C34B357D6DA40681A6EECD4CBC9CC2548	0E964D8A703A4F3D7CF56D9FB896DB783F4B44658FF79F30898672CF9A5D65BF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators	8A7269D0C714A8995AE6272CB69CFDD8	2032DC4FF09F425CB6688F472E79899CBF21E882	8EBB405F14B5D2A7D83B12A0E5F42D77D4BC3FDDA4C32CD6CF5D277BB0E0681F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (318), with CRLF line terminators	570697D96EEBCEFB125977328C2347CE	DF0CFDB3A58B437FA07DEA943A4539E6B194D8E9	A5C25E48EA7092F1A155200203E7FF8919D3302038C2F9A1F7CD2E5C13A24DB6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators	20F4D6A474391AFEC506A9BDBD04ADAB	F1CE944B299C6E38B6566DAB0F108BF66DDB9308	9D02E27C78B38F51C719F78160BAD04941AC9C60B2A55B6D3720C675D7F985A0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators	2C4E530408D6DF0BB3025745CDE1CADB	46537378CA1A32C025A948BB262717DF140BC928	0FB2A20C31578E3B1231555A5495594FC60A836C110B5EE9EA3A6FCD4A13AB2F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators	D0785BD19D055C79E97487EBB043CE06	D83A5546BDBC1918688FD31E0A002EBB7B006021	321BFF27B505F427E8C2EA2E86306F8528044478E18AD205FC8B267EF56E6995
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators	BAB1293460FDF40457ABBB01934AEC21	F7868B8C8CEEBEC8CCEF2BF56F7DA47917239602	3966B1C34E7BB2BCC36778D18391DF97531777F8E18B132B84840B9091292A8C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators	A6CE0D7510BF303E3698CABC1DB75116	A1D7F093A7678168F89701BFB695997E2E64FA35	0AA75BF5FB5F4A1A60994E52FD5F507B28B295BD250FDE5F2A091E21AAC853FE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (316), with CRLF line terminators	76FD1CFE8C51AE87548E8C178B7DB093	4CA88E3DE91E41E5464E40B0A2EBD32902E39274	702AEE8D62B4C3419078E048BEC4CE629A2867BD518D9618FB6BACCC66CF29F8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators	483C2A1DBC4A8597903B239F11EB0FC9	C8C3DE08C11D64490AC91ED56E435891FDD99264	43B137B871C7356658E3C178AA5016E944543FAF7038FD1C15AB9744D00624EF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\m1niz3t\imagestore.dat	data	D0FA4A18E595FD157B6992AD09611524	C6ACC6DF94C2D0E77822E17993221BD2642FA261	221CDE54892CBAA0C32DCAADBF259DAEF8AA8DBFCCBFE01C5188E5A42698E1C0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\uploadfcba94a8[1].htm	ASCII text, with no line terminators	260CA9DD8A4577FC00B7BD5810298076	53A5687CB26DC41F2AB4033E97E13ADEFD3740D6	AEE408847D35E44E99430F0979C3357B85FE8DBB4535A494301198ADBEE85F27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\favicon[1].ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	DA597791BE3B6E732F0BC8B20E38EE62	1125C45D285C360542027D7554A5C442288974DE	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\registerbb130302[1].htm	ASCII text, with no line terminators	A6782B013EAA517B79847912A457194F	03DAC5027F2687ED65058E81118B5CA39DB16898	48523A99BBC6DDF44FADC11BA8C207F5DEF41D52EF0C16227E39A4F319BA5ACB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\registerbb130302[1].htm	ASCII text, with no line terminators	6458854FFFD64C6A727E52C3C26BCD56	0AD600F29D6A1BB493B4256FEED8A02679A8B9FE	936BAD349C190AF1AD7354C044468AE48669473705FB3082E0AD31451861764A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	DE1EFA7A85DF33A73C038049502E3750	A3C9D5B1E8DC51476A6193BB2B2C1899A835928A	89A4C72D2A238E2D820845414607BD77457FE289896345D9C23540F62B2C7051
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\register[1].htm	ASCII text, with no line terminators	52005468EE51D684E8D726ECA3C07F4D	D8B11B8F88065A89388ECDE317519CA562E6FE49	FC309DC28B9FA00BFB9FCB66FC0BA34D574D2BC278B294CC473044116EEC53F8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\registerbb130302[1].htm	ASCII text, with no line terminators	6458854FFFD64C6A727E52C3C26BCD56	0AD600F29D6A1BB493B4256FEED8A02679A8B9FE	936BAD349C190AF1AD7354C044468AE48669473705FB3082E0AD31451861764A
C:\Users\user\AppData\Local\Temp\~DF3233F130AB51BE21.TMP	data	03BEDABAC699776F19B267D9108B4EBC	76C25D3A3FAA33C8630FC59EA3183B7F7FDF28C1	B1F2F1F6A958662266780C7C3B00D2D1D50ED4D071F8CE5F0985D480C27B1F89
C:\Users\user\AppData\Local\Temp\~DF4C4ABBEFBEE1C868.TMP	data	59DBC264E4F0B94552A12231A8E3A65D	4ADB6B344FEFBB3B4848FFB34EA90DD1435616DA	82219EF138105595B79740BE6E8C285E8B9F83623DD2011ABFC7B28FDB121BA6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)	data	F37CF783A60D0DB22ED86D95722976BD	A98786DAF3A67D22A79276B723B5241328A1B26E	E606B2DD1C8574E0FBB0D6001DF555B080EB357A903F131CE1BD3831B507DD1C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF510d0.TMP (copy)	data	F37CF783A60D0DB22ED86D95722976BD	A98786DAF3A67D22A79276B723B5241328A1B26E	E606B2DD1C8574E0FBB0D6001DF555B080EB357A903F131CE1BD3831B507DD1C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M925D3GEDGLRFZX1LVWS.temp	data	F37CF783A60D0DB22ED86D95722976BD	A98786DAF3A67D22A79276B723B5241328A1B26E	E606B2DD1C8574E0FBB0D6001DF555B080EB357A903F131CE1BD3831B507DD1C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SB4AAY81SXRWD1OOVZ5Z.temp	data	3E528E7001B10F87C628851E4A00B197	F28AEC38618F60B7BC9301D13AA7FE97971D2765	7F7D469D423F75FF2D55591987A7A003524B88EEF69F5DDC7AFAA04358D6D188
\Device\ConDrv	ASCII text, with no line terminators	52005468EE51D684E8D726ECA3C07F4D	D8B11B8F88065A89388ECDE317519CA562E6FE49	FC309DC28B9FA00BFB9FCB66FC0BA34D574D2BC278B294CC473044116EEC53F8

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49931

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: vacationtogotravels.net

Source: unknown

Source: U6ghPv3E7k.exe, 00000000.00000003.2203274887.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2194792115.000002D47C23E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/register
Source: U6ghPv3E7k.exe, 00000000.00000003.2257822965.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2218327326.000002D47C24F000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254497955.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2254920750.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2248276830.000002D47C2D3000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2256754273.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245514478.000002D47C290000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2257911553.000002D47C2CD000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2215564565.000002D47C24D000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2219233771.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2246626009.000002D47C2D1000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2245701697.000002D47C24B000.00000004.00000020.00020000.00000000.sdmp, U6ghPv3E7k.exe, 00000000.00000003.2251266127.000002D47C2C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vacationtogotravels.net/upload

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.221.225.227:443 -> 192.168.2.5:50020 version: TLS 1.2

Source: classification engine

Classification label: clean3.winEXE@7/28@1/1

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4C4ABBEFBEE1C868.TMP

Jump to behavior

Source: U6ghPv3E7k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U6ghPv3E7k.exe "C:\Users\user\Desktop\U6ghPv3E7k.exe"
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: U6ghPv3E7k.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: U6ghPv3E7k.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: U6ghPv3E7k.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: U6ghPv3E7k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: U6ghPv3E7k.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: U6ghPv3E7k.exe	Static PE information: section name: .msvcjmc
Source: U6ghPv3E7k.exe	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe TID: 3140

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\U6ghPv3E7k.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

ID:	1546123
Product:	CloudBasic
Start time:	14:31:28
Start date:	31.10.2024
Sample:	U6ghPv3E7k.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	00ba1e1d154e18d1124d87934fae9f20
SHA1:	41bfc98b2b24f4f70852f2de62c08e3c2aaf85ad
SHA256:	3c9bc8ec388807318127107c760233483bbba43a9c186eb7ed794d8fe4ffeb44
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
U6ghPv3E7k.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report U6ghPv3E7k.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
U6ghPv3E7k.exe