Edit tour

Windows Analysis Report
FNGAutoBackup.exe

Overview

General Information

Sample name:	FNGAutoBackup.exe
Analysis ID:	1566425
MD5:	6c9cbe507b5f4bb46755ba2c17ed584c
SHA1:	3a5c068d810f6849fcb2153b09edb815d856a7ba
SHA256:	96a0dced371043bcfb6eeca6097b4f1017435c32a35689b2058f56bc9238600d
Tags:	exemalicioususer-TheRavenFile
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

FNGAutoBackup.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\FNGAutoBackup.exe" MD5: 6C9CBE507B5F4BB46755BA2C17ED584C)

WerFault.exe (PID: 7464 cmdline: C:\Windows\system32\WerFault.exe -u -p 7284 -s 804 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: FNGAutoBackup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FNGAutoBackup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Data.pdbH source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbX source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdbRSDSC source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.pdbMZ source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERE8D3.tmp.dmp.4.dr

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7284 -s 804

Source: FNGAutoBackup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7284
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Mutant created: NULL

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60e77417-0ae5-43a9-9ed2-654de19648c5

Jump to behavior

Source: FNGAutoBackup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FNGAutoBackup.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

File read: C:\Users\user\Desktop\FNGAutoBackup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FNGAutoBackup.exe "C:\Users\user\Desktop\FNGAutoBackup.exe"
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7284 -s 804

Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FNGAutoBackup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FNGAutoBackup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Data.pdbH source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbX source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdbRSDSC source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.pdbMZ source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE8D3.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERE8D3.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Memory allocated: 17905810000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Memory allocated: 1791DA00000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Queries volume information: C:\Users\user\Desktop\FNGAutoBackup.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\FNGAutoBackup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FNGAutoBackup.exe	0%	ReversingLabs
FNGAutoBackup.exe	3%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566425
Start date and time:	2024-12-02 07:39:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FNGAutoBackup.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FNGAutoBackup.exe, PID 7284 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:40:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	173312131497fead2ebdffba48e639d886af98a7e28613c1999208e8d7a719ebfa8a8c2278190.dat-decoded.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	https://url.uk.m.mimecastprotect.com/s/lJtaCvgKLI76mPoHQfgHQcCL-?domain=cognitoforms.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.63

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FNGAutoBackup.ex_1c6818e205888b582bff204e21bebcbf7cd69_806afe30_72ed49fa-e902-4481-947f-fa55e06985bd\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9792447115208044
Encrypted:	false
SSDEEP:	192:hD4kbyh0Pw38FkaWuFTzuiFDZ24lO8Ief:F4kzPw3/axFTzuiFDY4lO8x
MD5:	5D4B923765BB7CCE33DCFDFAB3F7C987
SHA1:	52EEADBDD9848134B5D182DCAACAF0B983569B9C
SHA-256:	CA3209DA104611D757902FFDE528730C62BE297823F5B943061D696A67027F2F
SHA-512:	E06A2E419088BD17840D61D3BA4E69887AF2F8EBE3DF64B507CF434E0FC3661CE630D45CFFDD2C218F86169AC01AD987D6CFB05F9C72667371C5F6D5D6E5E766
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.5.9.5.1.9.6.9.4.2.2.3.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.5.9.5.1.9.7.6.4.5.5.2.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.e.d.4.9.f.a.-.e.9.0.2.-.4.4.8.1.-.9.4.7.f.-.f.a.5.5.e.0.6.9.8.5.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.8.c.0.0.f.2.-.3.2.1.f.-.4.7.6.b.-.8.8.2.e.-.f.9.a.4.b.e.2.8.3.c.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.F.N.G.A.u.t.o.B.a.c.k.u.p...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.N.G.A.u.t.o.B.a.c.k.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.4.-.0.0.0.1.-.0.0.1.4.-.4.e.9.c.-.1.4.0.0.8.5.4.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.3.e.8.2.2.8.3.7.6.4.f.8.6.7.f.3.c.1.5.4.f.6.a.3.7.e.3.e.c.1.9.0.0.0.0.0.0.0.0.!.0.0.0.0.3.a.5.c.0.6.8.d.8.1.0.f.6.8.4.9.f.c.b.2.1.5.3.b.0.9.e.d.b.8.1.5.d.8.5.6.a.7.b.a.!.F.N.G.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8D3.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Dec 2 06:39:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	333572
Entropy (8bit):	3.435141195462088
Encrypted:	false
SSDEEP:	3072:M3sdaGP8D4cPDmztCcS/M5va94eD21CCqU3+vdmk:MDlVLKtaSC4nqU3Q
MD5:	3D36062C9C8CE202579DDE0B219DBF14
SHA1:	DDCCE8A54C0464CF46E35249EB997584AC206BD6
SHA-256:	066CC6BB3BBA52DF136BBCC48CE2E77713A6B44933B06CF2C34F12E98B4185FB
SHA-512:	5B5F48C76FFE3AA7E02318BBA8CD64E49ABBC7EFBF739743ECA452F3CFB829E87B9E5FDDC4F05FA79CBEDE4EAE2D0256AF4D6B4B33DB97DA8032048DD46059DC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......=VMg....................................$...........................$N..........l.......8...........T...........................T...........@...............................................................................eJ..............Lw......................T.......t...<VMg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA2C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8618
Entropy (8bit):	3.700674103718165
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+Q86YcDs8tAgmfZ+mpr089bpngfGDm:R6lXJx86Y78tAgmfcSpgfj
MD5:	07965E11566BDBEE519B869EC5950A55
SHA1:	8FE450C19E4B440DD537BFFB85E5BE831093B673
SHA-256:	5E115A4C4A87CE7EA21FD1E06B6DD3B836D8F31C579D43FDB6542B35646F2D21
SHA-512:	6724F78E9A6EF52BFBE33E5D60AD9969CFB27A96E1143A44F5D7B3B7BB6D110571018B13471A539C0FD430A7236FC7079E8D8636FB8836F4220D5BD576D65F3D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA7B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4827
Entropy (8bit):	4.498912766811829
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZLNJg771I9+hWpW8VYWvYm8M4J3u2Fgyq8v9uUGFWAkFMxyQd:uIjfZnI7Rw7VdyJWWfGFWAkeyQd
MD5:	2E35056C7B42B6007B3175CA97C11B42
SHA1:	EDFF8F202B22F59FAF5685236BAB46B73D9A52FF
SHA-256:	7FF9E1AFADB900063C4BEB4C5D9FC6DB5877831390715D848FA369EE30EA59CF
SHA-512:	12A50F7475307846AB42BC0EFE64020A941B9AA148AB895B283B5E89235BF888ADE6982C245F498A8A77CE908C03BA6BC7AC4697A883E87359F735FA04D40C31
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="613302" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394144048114761
Encrypted:	false
SSDEEP:	6144:Vl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNA+OBSqas:r4vF0MYQUMM6VFYS+U/
MD5:	4F31F33135B366B88CD3FF809DE31938
SHA1:	6D2596CA676D204ACFB563BF1A8401660005C683
SHA-256:	0387902D3808BE7633D2A2E35EC5F8DE28BA4E6FA690138314B58C7B27BA2BD9
SHA-512:	4C888C99D8CA81B2AEA6E37A043AA6F549AD9AA993F3416551818795251AFACB376BEC77F6B0BA179D61A84E6D7878F3338227980D50AA4CCEA75FDFE01F582F
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....D................................................................................................................................................................................................................................................................................................................................................4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.214830992853151
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	FNGAutoBackup.exe
File size:	46'080 bytes
MD5:	6c9cbe507b5f4bb46755ba2c17ed584c
SHA1:	3a5c068d810f6849fcb2153b09edb815d856a7ba
SHA256:	96a0dced371043bcfb6eeca6097b4f1017435c32a35689b2058f56bc9238600d
SHA512:	6b557742cc252ccf89bcabd67ae787012142e59f34e8a3408a9c81e230cd6064db438e14cbd1d873fbd1199e70318d9a1ec3910b431a00a4fb90becf35c9c8a0
SSDEEP:	384:SpdQffbhhoDfgouHaisY5TGzR6PMOYWxtFI/LY6Uq14HGgclyR+DaXekIvEtWBjL:nh15TGUEBsQUqDJLhJl7blwJE
TLSH:	0023EB1672C9AE95D57EA1703B7382E4C3BBDD0A5123D62D0DD13A8B4A7C3137A02BE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.....................2........... ........@.. ....................................`................................

File Icon


Icon Hash:	4545545454545501

Static PE Info

General

Entrypoint:	0x409eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64148796 [Fri Mar 17 15:30:30 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9ea0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x2e68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7ef4	0x8000	c12202026f37e4056070eb3f6501b63d	False	0.38726806640625	data	5.52614779124491	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x2e68	0x3000	1ceb56ac92c33b09f09e1c7b6fa1c6f1	False	0.09163411458333333	data	3.302972855028598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	7624b04cc4afc0434b4c9c93616b9f4d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa4e8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.28040540540540543
RT_ICON	0xa610	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.05708092485549133
RT_ICON	0xab78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.05851063829787234
RT_ICON	0xafe0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.11559139784946236
RT_ICON	0xb2c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.04016245487364621
RT_ICON	0xbb70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.020872420262664164
RT_GROUP_ICON	0xcc18	0x5a	data	0.7222222222222222
RT_VERSION	0xa220	0x2c8	data	0.43679775280898875
RT_MANIFEST	0xcc78	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 07:39:54.577336073 CET	1.1.1.1	192.168.2.9	0x16be	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 2, 2024 07:39:54.577336073 CET	1.1.1.1	192.168.2.9	0x16be	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: FNGAutoBackup.exePID: 7284, Parent PID: 3504

General

Target ID:	0
Start time:	01:39:56
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\FNGAutoBackup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\FNGAutoBackup.exe"
Imagebase:	0x17903d20000
File size:	46'080 bytes
MD5 hash:	6C9CBE507B5F4BB46755BA2C17ED584C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7464, Parent PID: 7284

General

Target ID:	4
Start time:	01:39:56
Start date:	02/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7284 -s 804
Imagebase:	0x7ff7292b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: FNGAutoBackup.exePID: 7284, Parent PID: 3504COMMON

Executed Functions

Function 00007FF887D30398 Relevance: 8.2, Strings: 6, Instructions: 656COMMON

Download Yara Rule

Strings

H1_, xrefs: 00007FF887D30369
/_, xrefs: 00007FF887D30399
(0_, xrefs: 00007FF887D303F9
P/_, xrefs: 00007FF887D303D9
p0_, xrefs: 00007FF887D303B9
8,_, xrefs: 00007FF887D303C9

Memory Dump Source

Source File: 00000000.00000002.1468002712.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d30000_FNGAutoBackup.jbxd

Similarity

API ID:
String ID: (0_$8,_$H1_$P/_$p0_$/_
API String ID: 0-3237548848
Opcode ID: 14b204ac79e77bcf55a8449306e3a427dd2334ef5561627eaf83af05be9157c6
Instruction ID: 5345567eff227effd857302c3a990744d4a6f668b2e6020834447b445ca9cf6e
Opcode Fuzzy Hash: 14b204ac79e77bcf55a8449306e3a427dd2334ef5561627eaf83af05be9157c6
Instruction Fuzzy Hash: DD91F923D4DAC24FF31696BC68551FD7BB2FF426A074801BBC1998B1DBF9189809C385

Function 00007FF887D304A8 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468002712.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d30000_FNGAutoBackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749eb7a91a8867f87eca4b07f14593cf25b947a73d2bc5c597a2971ec93bf31
Instruction ID: 36d68c365cba450beb54f6ed5bf3151d94bd8c8b8732b8582b1d91d1a05b887f
Opcode Fuzzy Hash: 5749eb7a91a8867f87eca4b07f14593cf25b947a73d2bc5c597a2971ec93bf31
Instruction Fuzzy Hash: AE41EA27E4CB934AE319B6BCA8651FC3BA1EF413B570802BBC599C60D3F91D58468386

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FNGAutoBackup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FNGAutoBackup.ex_1c6818e205888b582bff204e21bebcbf7cd69_806afe30_72ed49fa-e902-4481-947f-fa55e06985bd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8D3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA2C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA7B.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: FNGAutoBackup.exePID: 7284, Parent PID: 3504

General

Chronological Activities

Analysis Process: WerFault.exePID: 7464, Parent PID: 7284

Windows Analysis Report
FNGAutoBackup.exe