Edit tour

Windows Analysis Report
1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Overview

General Information

Sample name:	1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe
Analysis ID:	1579150
MD5:	b76cea7d421f8ca41e00d4dd17ff804c
SHA1:	25549d3f28677851b2050b5277c727644fff944a
SHA256:	4499cb524b4ba0dedd4a3ab6231387828727c52c916ce49fdddd484b13627fd7
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe" MD5: B76CEA7D421F8CA41E00D4DD17FF804C)

WerFault.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crosshuaht.lat", "necklacebudi.lat", "grannyejh.lat", "discokeyus.lat", "aspecteirs.lat", "sustainskelet.lat", "rapeflowwj.lat", "energyaffai.lat"], "Build id": "DUkgLv--BEN"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "necklacebudi.lat", "grannyejh.lat", "discokeyus.lat", "aspecteirs.lat", "sustainskelet.lat", "rapeflowwj.lat", "energyaffai.lat"], "Build id": "DUkgLv--BEN"}

Multi AV Scanner detection for submitted file

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Machine Learning detection for sample

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: rapeflowwj.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: crosshuaht.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: sustainskelet.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: aspecteirs.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: energyaffai.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: necklacebudi.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: discokeyus.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: grannyejh.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: crosshuaht.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: Workgroup: -
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	String decryptor: DUkgLv--BEN

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 4x nop then mov ecx, eax	0_2_0043E649
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh	0_2_004160C5
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	0_2_0043BFB8
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 4x nop then test eax, eax	0_2_0043BFB8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: energyaffai.lat

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 0_2_00404539		0_2_00404539
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 0_2_0043BFB8		0_2_0043BFB8

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 224

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@1/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7400

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d41632cc-4dff-4a9e-9e78-8d5d982a7cd1

Jump to behavior

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe "C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe"
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 224

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 0_2_00408311 push eax; ret		0_2_00408312
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Code function: 0_2_00408323 push eax; ret		0_2_00408324

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: rapeflowwj.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: crosshuaht.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: sustainskelet.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: aspecteirs.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: energyaffai.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: necklacebudi.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: discokeyus.lat
Source: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, 00000000.00000000.1359935720.0000000000443000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: grannyejh.lat

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	26%	ReversingLabs
1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
time.windows.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
sustainskelet.lat	false	high
crosshuaht.lat	false	high
rapeflowwj.lat	false	high
grannyejh.lat	false	high
aspecteirs.lat	false	high
discokeyus.lat	false	high
energyaffai.lat	false	high
necklacebudi.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579150
Start date and time:	2024-12-20 23:04:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@2/5@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65, 20.42.65.92, 13.107.246.63, 40.126.53.18, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe, PID 7400 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
17:05:50	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	13.107.246.63
	WwVs3PavPg.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	Tsy9P2T9yF.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	http://www.eventcreate.com/e/you-have-received-a-new-doc	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	zSmMqGGeVy.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	2M43DSi2cx.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	VajVW1leCd.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	7JKssbjRDa.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	m21jm5y5Z5.exe	Get hash	malicious	LummaC	Browse	13.107.246.63

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1734732185f25c13_b06091249e11b162136e8acc372ab61d8aa2cd_34efe75a_11e8ef36-9ff0-44a1-aa51-b141520ad6b9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7142432188806781
Encrypted:	false
SSDEEP:	192:+B7B9y7+7dSF7H0NXfd7v7tjEzuiFpZ24IO8J7e7T:wKydSZUNXfBztjEzuiFpY4IO81ST
MD5:	0305E0A34FD07E6B6770DFBEE9B92397
SHA1:	281087679926C5C5C074BDD13045CE9DA554F908
SHA-256:	6EB037B3601571B8EDE3E6BBDC39BF471B8E40B60CE62BC9B16D5054DB1638EE
SHA-512:	E820DFBF0221A653221DF282CF42BDA4E30F16A2740B1F684D2031F42C50DE1B22A0057B8F3066B5D7BA32FFCC598FC300118B68D230C61771F2CDA0D1235B10
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.0.5.9.1.8.5.5.2.8.7.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.0.5.9.1.8.8.6.5.3.9.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.e.8.e.f.3.6.-.9.f.f.0.-.4.4.a.1.-.a.a.5.1.-.b.1.4.1.5.2.0.a.d.6.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.d.a.0.9.2.0.-.0.5.e.0.-.4.2.f.2.-.8.b.3.7.-.0.d.5.b.5.6.8.f.1.9.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.7.3.4.7.3.2.1.8.5.f.2.5.c.1.3.0.9.3.a.4.1.a.2.4.0.2.f.b.9.3.b.0.e.0.0.4.9.d.5.5.2.6.3.e.8.1.e.9.d.0.e.5.6.f.9.c.3.7.3.6.f.6.4.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.8.-.0.0.0.1.-.0.0.1.4.-.d.6.8.e.-.3.c.4.1.2.b.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.5.a.e.f.6.b.a.0.c.4.c.3.6.0.e.6.4.d.b.9.b.5.7.0.6.4.6.f.f.f.a.0.0.0.0.f.f.f.f.!.0.0.0.0.2.5.5.4.9.d.3.f.2.8.6.7.7.8.5.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57D2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 20 22:05:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	19618
Entropy (8bit):	2.0474762873309835
Encrypted:	false
SSDEEP:	96:5v8gEr7z9y4G8LObg7vi7nYYP/vu1+D77WI/WItUIZ/kviRm:ugJjCH7vOzE+D//k6k
MD5:	E7BC6D8E297A658B103C3F01F25DE4DB
SHA1:	775C815050FFB14EFC638FAD969B0B08DF06BF46
SHA-256:	534D88FDB4695728F71F0EA20338107584466F64BA193B279EC14BB3A194280A
SHA-512:	AFEB6FDA7CBECD5442098305D79054931FAB7A33CFD0457179842FA2B56400419191C1B76416036200177533FF9A5FFEB2FD6664535B9A577B32D58B546E1A8F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........eg............4...............<.......d...<...........T.......8...........T...........H...ZC......................................................................................................eJ......L.......GenuineIntel............T.............eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5821.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8546
Entropy (8bit):	3.701733909502434
Encrypted:	false
SSDEEP:	192:R6l7wVeJj7QD6eNI6YNZSU9lMgmfr7FJPWOGpxr89bbCsfCpm:R6lXJf86ei6YDSU9lMgmfXFJPWONbBfF
MD5:	459B56EB7ED91377620214D53D4CE0B1
SHA1:	80DE075B83D3DD3A61D160E21FEE7342D4FEAFB0
SHA-256:	15F4B6CC869967826670850BDD71524C1561ECCDDF0AD30DE98D73109F3128BF
SHA-512:	5A05C09F6FE769FAED9092887388977BE8AD9335A2C3C1B3D638F38157F5C0B0ABFB52E211BDF02630542122F14366DE13FE22C5B189237D5019A73B0B5592B8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5841.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4893
Entropy (8bit):	4.563743768008851
Encrypted:	false
SSDEEP:	96:uIjfhI7QM7VpmJkasaz0ajHBpalzLalTd:uINYQM7OfXLjHBMlzulh
MD5:	FFB10A70C0D478FFC42865D8E3387B09
SHA1:	24A61A438E03FEDB76D411E85941F76C37DF0A27
SHA-256:	1FB6234E4420A55D5DA861F4E15EF49C8297F53B6A2C256C573295FA67C36076
SHA-512:	6F1BC9F6AD6C36CAAE958A8A5F4317F6049AD2D37A950BDB0802AD295AE590075C399237968D3343A5FEB60639E4E42E4D960BCA29200EFC4B13E6BCA1AB3600
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="640148" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417191306444019
Encrypted:	false
SSDEEP:	6144:kcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuND5+:Ji58oSWIZBk2MM6AFB5o
MD5:	0F374DD07D0222226E07FD85E0CAB980
SHA1:	FC670F9023CCF34235131405E0B9467FAC7D08DB
SHA-256:	4689296AD76EAA1390329F6419FF09F51F68FBC6344EDBD0AE0FE4CE7C1B13F6
SHA-512:	36581FE6316CA68F06B14E1A08835C7FECECF2925C00E11D5AE47CED313481A2964312C4EA6050089EB2CF641E9B3B5D9BBA38E6F43A5AFB71EE7D996CA1553C
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.>wA+S................................................................................................................................................................................................................................................................................................................................................`u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8996273935330406
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe
File size:	318'688 bytes
MD5:	b76cea7d421f8ca41e00d4dd17ff804c
SHA1:	25549d3f28677851b2050b5277c727644fff944a
SHA256:	4499cb524b4ba0dedd4a3ab6231387828727c52c916ce49fdddd484b13627fd7
SHA512:	08e0e2693183d4f24f4fb99106453e73bacef26ed49e7ac030e3dc246904a9d14eddbad44eee6b1195441e3d6a446a991d6c65da481b49c9e5247e031b5aad83
SSDEEP:	6144:CfB3CRsqUKxogwjdT5cON3DB4kL9LclqaPymQa0RLWK8:3sqUKxuVTBH4qCymQa0RLd
TLSH:	43648D06DBA340A5D8C74875218EE77F693B2514A3344EC7DB8CCAA478739E1B83AD46
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................P.............@..........................`............@........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x408850
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
sbb eax, 0824548Bh
movzx ebx, byte ptr [esp+0Ch]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
cmp byte ptr [edx], bl
je 00007FAEF8B44428h
inc edx
dec ecx
jne 00007FAEF8B4441Ah
pop ebx
ret
mov eax, edx
pop ebx
ret
int3
int3
mov eax, FFFFFFFFh
mov ecx, dword ptr [esp+04h]
nop
nop
nop
nop
nop
nop
nop
cmp byte ptr [ecx+eax+01h], 00000000h
lea eax, dword ptr [eax+01h]
jne 00007FAEF8B44418h
ret
int3
int3
int3
int3
int3
push ebp
push ebx
push edi
push esi
xor ebp, ebp
mov ecx, dword ptr [esp+1Ch]
mov edx, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
xor edi, edi
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
cmp ecx, edi
je 00007FAEF8B44439h
add al, ah
dec esi
mov bh, 83h
cmp dword ptr [edx], 0F3A1CDEh
mov esi, 3A810304h
fidivr word ptr [eax]
fdiv dword ptr [ebp+07h]
inc edi
test bl, bl
jne 00007FAEF8B4440Dh
jmp 00007FAEF8B44426h
sub eax, ebx
mov ebp, eax
mov eax, ebp
pop esi
pop edi
pop ebx
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
mov ecx, dword ptr [esp+08h]
movzx edx, byte ptr [ecx]
xor eax, eax
test dl, dl
je 00007FAEF8B44444h
mov esi, dword ptr [esp+0Ch]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
movsx edx, dl
cmp edx, esi
je 00007FAEF8B4442Dh
movzx eax, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41bbf	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0x3888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41d08	0xbc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3eb36	0x3ec00	9a4416a062512f710fde47675a06fbcb	False	0.5492210844123506	data	6.760964812589881	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x40000	0x2097	0x2200	62481eebe00a0f5ece5aa47aa3387394	False	0.6079963235294118	data	6.857161056109667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x43000	0xe1e4	0x5000	58d43843fd9ce815314c2e84a85cca00	False	0.51591796875	data	7.058574616388034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x52000	0x3888	0x3a00	7d6a7508a6ea8cffcfb0d4f619ef7ae0	False	0.5816945043103449	data	6.512229477298348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 23:05:14.344152927 CET	52464	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 23:05:14.344152927 CET	192.168.2.7	1.1.1.1	0x3d52	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 23:05:14.481501102 CET	1.1.1.1	192.168.2.7	0x3d52	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 23:05:15.604875088 CET	1.1.1.1	192.168.2.7	0x41bd	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 23:05:15.604875088 CET	1.1.1.1	192.168.2.7	0x41bd	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Analysis Process: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exePID: 7400, Parent PID: 4056

General

Target ID:	0
Start time:	17:05:18
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe"
Imagebase:	0x400000
File size:	318'688 bytes
MD5 hash:	B76CEA7D421F8CA41E00D4DD17FF804C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	17:05:18
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 224
Imagebase:	0x830000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exePID: 7400, Parent PID: 4056COMMON

Non-executed Functions

Function 00404539 Relevance: 2.9, Strings: 2, Instructions: 394COMMON

Download Yara Rule

Strings

IEND, xrefs: 004049EA
), xrefs: 00404650

Memory Dump Source

Source File: 00000000.00000002.2612463069.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2612443731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612501831.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612518856.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612535742.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612553531.0000000000443000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612573393.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26e.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: d3d7d623f63e6aa1f4636fcde6620c90776f9174173bc65162052e3b0c1e0d5f
Instruction ID: 9b1bbe7977105e511df7b2b734c09ca9be14295609a2986e0bba555350919db2
Opcode Fuzzy Hash: d3d7d623f63e6aa1f4636fcde6620c90776f9174173bc65162052e3b0c1e0d5f
Instruction Fuzzy Hash: 81E113B1608344DFD720DF28C84079ABBE0EF95314F14492EEA95AB3C2D779D949CB86

Function 0043E649 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

u, xrefs: 0043E73D

Memory Dump Source

Source File: 00000000.00000002.2612463069.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2612443731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612501831.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612518856.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612535742.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612553531.0000000000443000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612573393.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26e.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: f1b776ad9d18a17e535532e0ce50876486c6db37554925882c709b135ec22fa2
Instruction ID: a9b4c18ca3ce1b1ca6cb425dee3095f9e6ec8466aec008cff29b8342abdc591a
Opcode Fuzzy Hash: f1b776ad9d18a17e535532e0ce50876486c6db37554925882c709b135ec22fa2
Instruction Fuzzy Hash: 4B719430A0A3418FE7159B2A88916ABBBE1EF5B310F28557FD4C1472D3D3389C06C74A

Function 0043BFB8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2612463069.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2612443731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612501831.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612518856.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612535742.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612553531.0000000000443000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612573393.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97893480ad20ec9005e186d079096d34c54e3c8e505c59be233a50cf03922d3d
Instruction ID: 4f5d135422eca54e5059e514069bbba57d8c337a6bc034b6d428f9214e35e741
Opcode Fuzzy Hash: 97893480ad20ec9005e186d079096d34c54e3c8e505c59be233a50cf03922d3d
Instruction Fuzzy Hash: 946177706083408FEB148F249CC066BB7B2EB5B314F187A6ED581A7252D739DC46CB9A

Function 004160C5 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2612463069.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2612443731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612501831.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612518856.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612535742.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612553531.0000000000443000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612573393.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7053ea1dbfba0d38f4d20bd2877be871e12570e3d4094e30582e5017f07595be
Instruction ID: 151060a4f834e437525e0faad5aa863ce8f133d05921b3633ac102563de51fe0
Opcode Fuzzy Hash: 7053ea1dbfba0d38f4d20bd2877be871e12570e3d4094e30582e5017f07595be
Instruction Fuzzy Hash: 39315C3AA081219BD3115F28C8015B277A2E796319F1E857AD884D7313D33DED42D7C9

Function 004214C2 Relevance: 40.2, Strings: 32, Instructions: 153COMMON

Download Yara Rule

Strings

HD, xrefs: 004214D6
0HD, xrefs: 004216D4
TID, xrefs: 004216FC
0HD, xrefs: 00421648
0HD, xrefs: 0042156C
0HD, xrefs: 00421634
0HD, xrefs: 004216C0
0HD, xrefs: 004215F8
0HD, xrefs: 00421731
0HD, xrefs: 00421594
0HD, xrefs: 004216E8
HD, xrefs: 004214FE
DID, xrefs: 0042165C
4ID, xrefs: 0042160C
0HD, xrefs: 00421580
LID, xrefs: 004216B6
0HD, xrefs: 0042167A
0HD, xrefs: 0042153A
0HD, xrefs: 004215B2
0HD, xrefs: 00421558
0HD, xrefs: 00421706
0HD, xrefs: 004215DA
0HD, xrefs: 004216A2
,ID, xrefs: 004215EE
0HD, xrefs: 00421616
0HD, xrefs: 0042168E
<ID, xrefs: 0042162A
0HD, xrefs: 00421512
0HD, xrefs: 0042171A
0HD, xrefs: 00421666
0HD, xrefs: 00421745
$ID, xrefs: 004215D0

Memory Dump Source

Source File: 00000000.00000002.2612463069.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2612443731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612501831.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612518856.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612535742.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612553531.0000000000443000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2612573393.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26e.jbxd

Similarity

API ID:
String ID: $ID$,ID$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$0HD$4ID$<ID$DID$LID$TID$HD$HD
API String ID: 0-702308117
Opcode ID: 431a3eb7ff693899895808684a129e29f1910fcbbb638253cba19d43a3016f36
Instruction ID: 049922c694d7a9bb595e46777b1488415d232f5b6158ec5c9a537ff5976fdc64
Opcode Fuzzy Hash: 431a3eb7ff693899895808684a129e29f1910fcbbb638253cba19d43a3016f36
Instruction Fuzzy Hash: 7F8194B541AB848FE3229F2094597D3BFF0AF57308F45888EC4EA4B252C7B92509DB95

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1734732185f25c13_b06091249e11b162136e8acc372ab61d8aa2cd_34efe75a_11e8ef36-9ff0-44a1-aa51-b141520ad6b9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57D2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5821.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5841.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exe