Edit tour

Windows Analysis Report
Mmt4YaKg5u.exe

Overview

General Information

Sample name:	Mmt4YaKg5u.exe renamed because original name is a hash value
Original sample name:	f36fd6445db562f134623e5bfb23e1d7.exe
Analysis ID:	1581198
MD5:	f36fd6445db562f134623e5bfb23e1d7
SHA1:	dbd3297f34f59ca3ff25bd0c17cc274c9a456808
SHA256:	88c3d3076ef5d30581a94d413b405b5638cec666f6705dee718e5843355e01e5
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Mmt4YaKg5u.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\Mmt4YaKg5u.exe" MD5: F36FD6445DB562F134623E5BFB23E1D7)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Mmt4YaKg5u.exe	Virustotal: Detection: 51%			Perma Link
Source: Mmt4YaKg5u.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Mmt4YaKg5u.exe

Joe Sandbox ML: detected

Source: Mmt4YaKg5u.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Code function: 4x nop then jmp 00007FFD9A180E1Fh

0_2_00007FFD9A180C39

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 107.150.123.235 ports 15694,2,3,4,5,6,56234,36428

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 107.150.123.235:56234

Source: Joe Sandbox View

ASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.150.123.235

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Code function: 0_2_00007FFD9A187B72		0_2_00007FFD9A187B72
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Code function: 0_2_00007FFD9A186DC6		0_2_00007FFD9A186DC6

Source: Mmt4YaKg5u.exe, 00000000.00000000.1665622608.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameclient.exe" vs Mmt4YaKg5u.exe
Source: Mmt4YaKg5u.exe	Binary or memory string: OriginalFilenameclient.exe" vs Mmt4YaKg5u.exe

Source: Mmt4YaKg5u.exe, Settings.cs

Base64 encoded string: 'R3FmRmlya1VYYTB3cWgwU1pqcGZBQ0w0Z0d2SDBYRjJjMFdTS1U4V05VdlZjZmpEYkhjNDBGQUVmbGliNmNkOVU4VXpMaEhFa1NScVF6Y0FocnB0NUxDWDBSeGp2aGF2MHZCZUx0MjQ5WFQ='

Source: classification engine

Classification label: mal64.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Mutant created: \Sessions\1\BaseNamedObjects\wTSPlSZ1dfkB

Source: Mmt4YaKg5u.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Mmt4YaKg5u.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mmt4YaKg5u.exe	Virustotal: Detection: 51%
Source: Mmt4YaKg5u.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Mmt4YaKg5u.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Mmt4YaKg5u.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Mmt4YaKg5u.exe, MessageConnect.cs

.Net Code: I System.Reflection.Assembly.Load(byte[])

Source: Mmt4YaKg5u.exe

Static PE information: 0xD39922A3 [Tue Jun 30 07:00:51 2082 UTC]

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Code function: 0_2_00007FFD9A1847F2 push eax; iretd

0_2_00007FFD9A184879

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Memory allocated: 1380000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe TID: 7824

Thread sleep time: -45000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Mmt4YaKg5u.exe	Binary or memory string: VMwareQEMU
Source: Mmt4YaKg5u.exe, 00000000.00000002.2919470702.0000000003243000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Mmt4YaKg5u.exe, 00000000.00000002.2920431995.000000001C0BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Queries volume information: C:\Users\user\Desktop\Mmt4YaKg5u.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mmt4YaKg5u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mmt4YaKg5u.exe	51%	Virustotal		Browse
Mmt4YaKg5u.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Mmt4YaKg5u.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.150.123.235	unknown	United States		135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581198
Start date and time:	2024-12-27 08:22:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mmt4YaKg5u.exe renamed because original name is a hash value
Original Sample Name:	f36fd6445db562f134623e5bfb23e1d7.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 29 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.32.238.234, 23.32.238.242, 23.32.238.218, 23.32.238.225, 23.32.238.203, 23.32.238.235, 23.32.238.179, 23.32.238.217, 23.32.238.210, 20.189.173.20, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target Mmt4YaKg5u.exe, PID 7820 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	3344.exe	Get hash	malicious	Metasploit	Browse	45.43.36.223
	m.elf	Get hash	malicious	Unknown	Browse	45.43.36.223
	5544x64.elf	Get hash	malicious	ConnectBack	Browse	45.43.36.223
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	128.1.49.123
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	MAERSK LINE SHIPPING DOC_4253.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	107.155.56.30
	nabppc.elf	Get hash	malicious	Unknown	Browse	107.155.48.54
	shell64.elf	Get hash	malicious	ConnectBack	Browse	45.43.36.223

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.658923810062706
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Mmt4YaKg5u.exe
File size:	54'784 bytes
MD5:	f36fd6445db562f134623e5bfb23e1d7
SHA1:	dbd3297f34f59ca3ff25bd0c17cc274c9a456808
SHA256:	88c3d3076ef5d30581a94d413b405b5638cec666f6705dee718e5843355e01e5
SHA512:	a9ce556ec8f85e9bc2a676412fff03460e42d16367144d0ef7e252d2f6b2fe41890fd159ea646269d810ad989efa2478fee4e8ba5b21ce8af73868c38ec002ff
SSDEEP:	768:ruJLpsh0OUdOBcsiMPiR4aZrZeg8bS5V0AOTDNYcEYugWK:K9iQdOBc7oi6oZeg8bqV0AMMgWK
TLSH:	55334B057B685B35DABC07FD9873621443B0A2075842E76D6DDC60EE2B73BC58602EE7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............"...0.............>.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40de3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD39922A3 [Tue Jun 30 07:00:51 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdde4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x1131	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbe44	0xc000	a38fbcf82d6caca8e469502fdfb09d49	False	0.4766438802083333	data	5.614371783120636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1131	0x1200	53aa7ff26945a39569560537d942fde6	False	0.4249131944444444	data	5.637202652920777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	47f7822536ff157957978a4670ecae9f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2f4	data			0.42857142857142855
RT_MANIFEST	0xe394	0xd9d	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators			0.45652797704447634

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:23:03.876687050 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:03.996305943 CET	56234	49736	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:03.996639013 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:04.828257084 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:04.947877884 CET	56234	49736	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:06.599842072 CET	56234	49736	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:06.600019932 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:09.632401943 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:09.932440042 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:10.225155115 CET	56234	49736	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:10.225172997 CET	56234	49736	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:10.225276947 CET	49736	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:10.479557037 CET	49737	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:10.599783897 CET	36428	49737	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:10.599940062 CET	49737	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:11.526913881 CET	49737	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:11.646676064 CET	36428	49737	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:13.141891003 CET	36428	49737	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:13.141997099 CET	49737	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:16.151431084 CET	49737	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:16.271125078 CET	36428	49737	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:18.901479959 CET	49739	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:19.021434069 CET	36428	49739	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:19.021532059 CET	49739	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:19.479578972 CET	49739	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:19.599231958 CET	36428	49739	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:21.614828110 CET	36428	49739	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:21.614909887 CET	49739	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:24.619951010 CET	49739	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:24.739800930 CET	36428	49739	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:26.135675907 CET	49740	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:26.255578995 CET	36428	49740	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:26.255682945 CET	49740	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:26.916982889 CET	49740	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:27.036894083 CET	36428	49740	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:28.856498003 CET	36428	49740	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:28.856563091 CET	49740	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:31.869812965 CET	49740	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:31.989525080 CET	36428	49740	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:32.744915009 CET	49741	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:32.864686966 CET	56234	49741	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:32.864778996 CET	49741	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:33.666970968 CET	49741	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:33.786767960 CET	56234	49741	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:35.444216013 CET	56234	49741	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:35.444451094 CET	49741	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:38.448056936 CET	49741	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:38.567819118 CET	56234	49741	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:39.854357004 CET	49742	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:39.974150896 CET	15694	49742	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:39.974339962 CET	49742	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:40.463789940 CET	49742	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:40.583659887 CET	15694	49742	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:42.657584906 CET	15694	49742	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:42.657783031 CET	49742	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:45.666778088 CET	49742	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:45.786613941 CET	15694	49742	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:48.010530949 CET	49743	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:48.130511999 CET	36428	49743	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:48.130593061 CET	49743	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:48.276216984 CET	49743	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:48.396008015 CET	36428	49743	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:50.722783089 CET	36428	49743	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:50.722893000 CET	49743	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:53.729155064 CET	49743	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:53.848793030 CET	36428	49743	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:54.073215008 CET	49746	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:54.193028927 CET	15694	49746	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:54.193273067 CET	49746	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:54.901211023 CET	49746	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:55.020948887 CET	15694	49746	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:56.734297991 CET	15694	49746	107.150.123.235	192.168.2.4
Dec 27, 2024 08:23:56.734369040 CET	49746	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:59.744746923 CET	49746	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:23:59.864682913 CET	15694	49746	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:01.150928974 CET	49758	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:01.270380974 CET	56234	49758	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:01.270461082 CET	49758	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:01.604231119 CET	49758	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:01.723793983 CET	56234	49758	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:03.825113058 CET	56234	49758	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:03.825349092 CET	49758	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:06.838469982 CET	49758	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:06.957971096 CET	56234	49758	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:07.354089022 CET	49773	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:07.473690987 CET	15694	49773	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:07.473810911 CET	49773	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:08.135337114 CET	49773	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:08.254749060 CET	15694	49773	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:10.016412020 CET	15694	49773	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:10.016602039 CET	49773	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:13.025834084 CET	49773	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:13.146029949 CET	15694	49773	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:14.791510105 CET	49792	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:14.911300898 CET	36428	49792	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:14.911370993 CET	49792	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:15.385759115 CET	49792	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:15.505228996 CET	36428	49792	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:17.452208996 CET	36428	49792	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:17.454916954 CET	49792	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:20.463206053 CET	49792	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:20.582776070 CET	36428	49792	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:22.901027918 CET	49810	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:23.020761013 CET	15694	49810	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:23.021142960 CET	49810	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:23.979072094 CET	49810	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:24.098591089 CET	15694	49810	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:25.823568106 CET	15694	49810	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:25.823678017 CET	49810	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:28.838237047 CET	49810	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:28.957897902 CET	15694	49810	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:30.431978941 CET	49826	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:30.552515984 CET	56234	49826	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:30.552649975 CET	49826	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:30.822698116 CET	49826	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:30.942290068 CET	56234	49826	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:33.148199081 CET	56234	49826	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:33.148329973 CET	49826	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:36.150774956 CET	49826	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:36.270392895 CET	56234	49826	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:38.479011059 CET	49847	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:38.598644018 CET	15694	49847	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:38.598872900 CET	49847	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:39.264794111 CET	49847	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:39.384283066 CET	15694	49847	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:41.436872959 CET	15694	49847	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:41.436990976 CET	49847	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:44.447627068 CET	49847	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:44.568037033 CET	15694	49847	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:45.985161066 CET	49863	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:46.104734898 CET	56234	49863	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:46.104820967 CET	49863	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:46.791651964 CET	49863	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:46.911426067 CET	56234	49863	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:48.695147038 CET	56234	49863	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:48.695250988 CET	49863	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:51.712522030 CET	49863	56234	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:51.832087994 CET	56234	49863	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:53.854211092 CET	49883	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:53.973758936 CET	36428	49883	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:53.973880053 CET	49883	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:54.588285923 CET	49883	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:54.707969904 CET	36428	49883	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:56.551189899 CET	36428	49883	107.150.123.235	192.168.2.4
Dec 27, 2024 08:24:56.551429033 CET	49883	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:59.556832075 CET	49883	36428	192.168.2.4	107.150.123.235
Dec 27, 2024 08:24:59.676635981 CET	36428	49883	107.150.123.235	192.168.2.4
Dec 27, 2024 08:25:00.588067055 CET	49895	15694	192.168.2.4	107.150.123.235
Dec 27, 2024 08:25:00.707593918 CET	15694	49895	107.150.123.235	192.168.2.4
Dec 27, 2024 08:25:00.707672119 CET	49895	15694	192.168.2.4	107.150.123.235

Target ID:	0
Start time:	02:22:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Mmt4YaKg5u.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Mmt4YaKg5u.exe"
Imagebase:	0xe30000
File size:	54'784 bytes
MD5 hash:	F36FD6445DB562F134623E5BFB23E1D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD9A186DC6 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a767df01391fb344e9981f3bcb948cea636371e1d2590e50949ae9bd791d5f7c
Instruction ID: 762634e8ba2bbff6a517156726767acf3fc3143bcc6047c7956dae1700ecbdae
Opcode Fuzzy Hash: a767df01391fb344e9981f3bcb948cea636371e1d2590e50949ae9bd791d5f7c
Instruction Fuzzy Hash: 67F1B731A08A4D8FEBA8DF2CC8657E937D1FF54310F04426EE85DCB295DB3499458B82

Function 00007FFD9A187B72 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e614992c09b6a45cd1ad219c1e760405f382d67180791f0323bff0c3e8b7382c
Instruction ID: d132b92aafb8c3fd36014dc32b1ac3c5a5e8602bab711e07adf26576983b51b5
Opcode Fuzzy Hash: e614992c09b6a45cd1ad219c1e760405f382d67180791f0323bff0c3e8b7382c
Instruction Fuzzy Hash: 44E1C331A08A4E8FEBA8DF68C8657F977D1EF54310F04426AE84DC7295DF34A8458B82

Function 00007FFD9A180C39 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba81d2c325dd717d3b1d01b1b8a78fbc0ec96663315cf3082e2c0b8ed77bebb
Instruction ID: 94e808c4097df302aefa53cc4abc5ece23b5597919af2f137a6141cca70813d1
Opcode Fuzzy Hash: eba81d2c325dd717d3b1d01b1b8a78fbc0ec96663315cf3082e2c0b8ed77bebb
Instruction Fuzzy Hash: 29613E72E0961DCEE768AFA8C4646FDBBB1AF45305F5014B9D019BB2E2CF386544CB14

Function 00007FFD9A188801 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d541d6fc93d0446e759ff73bb89bad3fca5b6b4591ee5f27b676ae544685e124
Instruction ID: 7516fe62d2942c1b7c307a34a25614a2de2bff6f57a5a946c4575cbdfaed127d
Opcode Fuzzy Hash: d541d6fc93d0446e759ff73bb89bad3fca5b6b4591ee5f27b676ae544685e124
Instruction Fuzzy Hash: 05F10C71A0851D8FDBA8EF68C4A4BA9B7B2FF59305F5045EAD00DE7295CF35A981CB00

Function 00007FFD9A187786 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f853303557234ad728e275083e872ed0e5c03a6b8174415cc087f7e7d57c2da5
Instruction ID: 9258edbcd30934b71de9a2a0c1b948ee7fe424e9350bc185d5e4354640b81115
Opcode Fuzzy Hash: f853303557234ad728e275083e872ed0e5c03a6b8174415cc087f7e7d57c2da5
Instruction Fuzzy Hash: 07B1C531A08A4D8FEB69DF28D855BF93BD1EF55310F04426AE84DC7296CE34A945CB82

Function 00007FFD9A182DE9 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8225aecdb8ab6aae1a1f210105e702f7b88693a78f7fe1936ddf492ab39a9
Instruction ID: a00899dddfec84e2744079e9224fbc44e18d09a79b9336de58255988107de8fb
Opcode Fuzzy Hash: 0eb8225aecdb8ab6aae1a1f210105e702f7b88693a78f7fe1936ddf492ab39a9
Instruction Fuzzy Hash: D2B12B32E0961D8FDBA8DBA8C464AEDB7B1FF55305F5041B9D00DEB285CB396985CB40

Function 00007FFD9A181B5C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d1812ba1b410cf769708115b9d05827df60b2aa8e654876d0ab097b4320b6d
Instruction ID: 34090dcf153c65e83dc8934083a27095aafacd590076bedd42651c0fc4423b9a
Opcode Fuzzy Hash: 97d1812ba1b410cf769708115b9d05827df60b2aa8e654876d0ab097b4320b6d
Instruction Fuzzy Hash: D1A1A571A1896D8FDBA4EB18C894BE9B7F1FF68301F5001E5A01DE7265CA34AE81CF40

Function 00007FFD9A1817FA Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7a6b8732641c73e5730eda420aab596d68b2d4c8e52956e8e429ec5ba78593
Instruction ID: 97faacaf35c1e3d41c77be1394741b98fff972fff05374d96fd8a4c8f4015892
Opcode Fuzzy Hash: 4e7a6b8732641c73e5730eda420aab596d68b2d4c8e52956e8e429ec5ba78593
Instruction Fuzzy Hash: D291EB71E1895D8FDB94EB6CC8A5B9CBBF1FF58301F1441A6D01DE72A6CA34A881CB41

Function 00007FFD9A188CD7 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee76c665a20be724d1f3285c700e6cd65d224480faf99a487bd9e4941bd8d73b
Instruction ID: 1b508fc62a13f9190f1e11bca234e008a15c4909e71cdc03e744475c38b7c420
Opcode Fuzzy Hash: ee76c665a20be724d1f3285c700e6cd65d224480faf99a487bd9e4941bd8d73b
Instruction Fuzzy Hash: 2E71A671A05A1D8FDBA9EF68C864AE9B3B1FF58301F5045E9D00DE7255CA35AD81CB00

Function 00007FFD9A18212D Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50977d45c91c13fd62b5b6edd1f92d4e0897043b06ca7eceeaae9c2709bf0b2a
Instruction ID: ebb4f70d9237d44f190de2fbd742b785897954a67773fe75d2f7e9348293da93
Opcode Fuzzy Hash: 50977d45c91c13fd62b5b6edd1f92d4e0897043b06ca7eceeaae9c2709bf0b2a
Instruction Fuzzy Hash: 5E61E674E08A1D8FDF94EB68C854BACB7B2FF59301F5001A9D00DE7295DB39A981CB41

Function 00007FFD9A1842AC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f053ada2f3fedc2a49413eba5c62a3cea860fea46a7be2df38bd1bfb45ba7f
Instruction ID: 48da0cf4ba47271bda99ce78411fda96300f9577cfa4855734532b6bebd3f43d
Opcode Fuzzy Hash: 93f053ada2f3fedc2a49413eba5c62a3cea860fea46a7be2df38bd1bfb45ba7f
Instruction Fuzzy Hash: 1F518331D18A1C8FDB68DF58D855BE9BBF1FB59310F1082AAD00DD3256DE34A9858F82

Function 00007FFD9A182376 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747a8cc36ce80c45d7950dd9038478c5b668f98d398b5248d22715b6cda1d7b9
Instruction ID: 31f454976f7ecdded1d9f1d27dfd6ba657db45a6a37bb35d624f0dad856b1bf2
Opcode Fuzzy Hash: 747a8cc36ce80c45d7950dd9038478c5b668f98d398b5248d22715b6cda1d7b9
Instruction Fuzzy Hash: 9A614131E0865D8FDB99DFA8C864AEDBBB1FF59300F1001AAD00DE7296CB349981CB51

Function 00007FFD9A181648 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02518947908ec68adfcc3c786fe08b2606fa72f62d51df43df49d1beba35fae5
Instruction ID: 81ea5fbd42ec9e20fb6b04fcde8ce93e3253944baf1cc0ab7302c90849518e6f
Opcode Fuzzy Hash: 02518947908ec68adfcc3c786fe08b2606fa72f62d51df43df49d1beba35fae5
Instruction Fuzzy Hash: 8541DC63F18D460FD7E9AB6CA865AB573D1EF6435071046BAD41FC61CEDE38E8428382

Function 00007FFD9A1804D3 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66236876b4fef1c9b988d9ff699b8bbb97879c5ce0b734b9fe8f08b03a63948
Instruction ID: 49d083775c691a6dc527a126f777a9d747b67da4c5fa3b6db9d864511cdc29c5
Opcode Fuzzy Hash: c66236876b4fef1c9b988d9ff699b8bbb97879c5ce0b734b9fe8f08b03a63948
Instruction Fuzzy Hash: FA41C517F0C55689E7017BBCB8291E87BA1DFC5239F0842B7E198990CBDD28208E9797

Function 00007FFD9A18257D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009484ae7d9efb221f3eba6aae4dab56e1d6c5253e786e0904f6b73ce444b688
Instruction ID: 5f2002b3e46978b1dff537efa9847cadca6d5fcd87678b845990702397707dd0
Opcode Fuzzy Hash: 009484ae7d9efb221f3eba6aae4dab56e1d6c5253e786e0904f6b73ce444b688
Instruction Fuzzy Hash: BA416231E0865D8FDB95EBA8C465AECBBF1FF59301F4001BAD008E7296CB38A841CB51

Function 00007FFD9A180788 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d2576027fa4c239feeab59416d46576bea8cce27d3cc7a33f6f52b8a2e1117
Instruction ID: 9531930cf8d017317e74a36b53a9e271b37002e0f7872be1df8c8c9f6158f7e2
Opcode Fuzzy Hash: 01d2576027fa4c239feeab59416d46576bea8cce27d3cc7a33f6f52b8a2e1117
Instruction Fuzzy Hash: 9741E632A1990D8FEBA8EF98C464ABDB7B1FF59305F50047AD00DE7295CB356881CB40

Function 00007FFD9A182A61 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93451f77bdd9e5e2ef53eafcae54a2a5a4ac7d9fd29c34d3601dbd7ecb334b4f
Instruction ID: 1e5f4eaf7c86679161c790ed6708de5166e5c978e4983b7ba842154b5774472a
Opcode Fuzzy Hash: 93451f77bdd9e5e2ef53eafcae54a2a5a4ac7d9fd29c34d3601dbd7ecb334b4f
Instruction Fuzzy Hash: F231C433E0864D9FDB69DBA8D8656EDB7B1EF45310F0401BAD02AF72C1CA395542CB51

Function 00007FFD9A18105E Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8922e75a94a23084d5f80f246089dfc50b8eb602c08af318fe1b35519708712c
Instruction ID: 63547159d4fb926614821cbacba629a7b2e63d933581b6a072907d7ac143cb4c
Opcode Fuzzy Hash: 8922e75a94a23084d5f80f246089dfc50b8eb602c08af318fe1b35519708712c
Instruction Fuzzy Hash: 5731B775A04A1DCFCF88EF98C494AACBBB1FF68315F1041A9D00EEB695CA35A841CB50

Function 00007FFD9A182E79 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79ad6d7242c10aafc0d1ed4cbf207530ffb1fd7f386e42b3d3838e8c39ca87d
Instruction ID: 2fea164ce97d3c1d7e69cda92a14c8745645ff89ac9dfac833d5eb13def4992d
Opcode Fuzzy Hash: b79ad6d7242c10aafc0d1ed4cbf207530ffb1fd7f386e42b3d3838e8c39ca87d
Instruction Fuzzy Hash: 02314F32E0D6498FEBA9DBA8C4616BD77B5EF55300F5400B9D00DEB282CB386985CB10

Function 00007FFD9A1805B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121bbe332d16001fddffbd9c5078cedd2c0e4f9b7d7abeb72bf6a249c06f3be5
Instruction ID: 5402ef62bdffaf50b9b508bd50db5205e1986a8e670f9a3a0f0f82fcfc6114af
Opcode Fuzzy Hash: 121bbe332d16001fddffbd9c5078cedd2c0e4f9b7d7abeb72bf6a249c06f3be5
Instruction Fuzzy Hash: FA216D33E0850E9FEB15EFB8D8556EDB7B2FF45308F4045B6D028E718ADA3865448B92

Function 00007FFD9A1805A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf33597efc72678560ae2c25fc9912f6c23a685ef627d0c62de21fce4686adf4
Instruction ID: 18fa3077f65fd5b620d11aa195eca481951e5b29e7eec272dfc6bc89e4c3d0db
Opcode Fuzzy Hash: cf33597efc72678560ae2c25fc9912f6c23a685ef627d0c62de21fce4686adf4
Instruction Fuzzy Hash: BD11B637E0C5599EEB15ABBCA8252E9BBB1EF45318F0401B6D058E60C6DA3C21498752

Function 00007FFD9A1826EE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be2546df909993393e6cd5ff287053a40f96258ba526264efaee4a0d8a2a8a3
Instruction ID: 5ab30c32248af488234968710f0aa3b736a77de622e3c8245f26e986b91e6304
Opcode Fuzzy Hash: 1be2546df909993393e6cd5ff287053a40f96258ba526264efaee4a0d8a2a8a3
Instruction Fuzzy Hash: 5B01042295C28A5FD3469BB48C695E97FE0EF46214F8401F6D09ACA0E3C93C1986C352

Function 00007FFD9A18113E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c4d06851a3e9bc53f88d4d1dd4f691cedaa86431a98582aecfe5495172774f
Instruction ID: 46293b1fc5f52a9d72dd7a660d78e9136d0cecda609a5614044ee643d2de835f
Opcode Fuzzy Hash: 00c4d06851a3e9bc53f88d4d1dd4f691cedaa86431a98582aecfe5495172774f
Instruction Fuzzy Hash: 4A11C033E0C24E9EEB559FB898252E9BBF1FF46314F4001B6D018E6082DB7C2545CB52

Function 00007FFD9A1805B0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5061610352f11a813f1205ec642d16f446dae408914fe161499ea00ad4270e
Instruction ID: 2c5000abc44118a8c837836895e6f86b09adf35165a48b2860feb0eea07c94ba
Opcode Fuzzy Hash: 7c5061610352f11a813f1205ec642d16f446dae408914fe161499ea00ad4270e
Instruction Fuzzy Hash: EE118633E0C14D9EEB15AFB8A8252ED7BB1EF45318F4441B6E058E60C6DE3C21448742

Function 00007FFD9A182D28 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5121910f16d7019c45b9cc6e9703a9b37a9e4779a38d916431511e9a0f28f16e
Instruction ID: a12d305d49626777ce5d688c7cfd7b046a7a8fa2541dd743bbcdeda3aa889e0c
Opcode Fuzzy Hash: 5121910f16d7019c45b9cc6e9703a9b37a9e4779a38d916431511e9a0f28f16e
Instruction Fuzzy Hash: 2E019663B18E4A4BD7A99B68A8919B17390EB64254B10467AE42FC618EDD38E8458342

Function 00007FFD9A1815A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d5d4b5a3b80c69bbeaf55eb7a6106c658df1f473fc39150fed38176a504ca9
Instruction ID: 9b3c5a3e1c1aeda32e9c83ee1fd5cff8d5e63663a88a473983efb93f2901adeb
Opcode Fuzzy Hash: 82d5d4b5a3b80c69bbeaf55eb7a6106c658df1f473fc39150fed38176a504ca9
Instruction Fuzzy Hash: 3301DD32F18D054BD7A99F6CA894DB273E0EB64355B10467BE42FC618EDD38E4458342

Function 00007FFD9A18924A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4811d52933da64caef45b511b24a216abb862cb26d0fc40012d4722495e78c2
Instruction ID: e1dd0ee595597e0cb5e16beab3a54aa0498a995045712dedc50eeaedc8e9cb8f
Opcode Fuzzy Hash: a4811d52933da64caef45b511b24a216abb862cb26d0fc40012d4722495e78c2
Instruction Fuzzy Hash: 1511A231E0462ACFCF58DFA4D8909EEBBB2FB4A301F101569D01AB7290DB755945CF90

Function 00007FFD9A180971 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713842bb54269035c691ccb689b236a24c4140b4096b9b706793f81ba2dd5d3c
Instruction ID: cdc3fbded79af5e623c3771115bec06fd861090b48ae3f23ae38a1bcbe44f80e
Opcode Fuzzy Hash: 713842bb54269035c691ccb689b236a24c4140b4096b9b706793f81ba2dd5d3c
Instruction Fuzzy Hash: BCF0A923E1C64D8FE7649B6C88692EC7BA1FF95211F8405F6D44CEA0E6DD385985C701

Function 00007FFD9A18253B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2920739933.00007FFD9A180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a180000_Mmt4YaKg5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ffb84357f9910d22a5579e2b4a069edac6d3b30a8350176d63ee96d93841bb
Instruction ID: 53226385c1b73ea93946386e2ad0ea5b97f0d53475b9560840047c18b1202030
Opcode Fuzzy Hash: 41ffb84357f9910d22a5579e2b4a069edac6d3b30a8350176d63ee96d93841bb
Instruction Fuzzy Hash: 0FE0683394CA4C8BDB65EB5CAC243D4B7E0FF89308F0001AAD02CE7181D33A5511C345

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mmt4YaKg5u.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Mmt4YaKg5u.exePID: 7820, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: Mmt4YaKg5u.exePID: 7820, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9A186DC6 Relevance: .5, Instructions: 472COMMON

Windows Analysis Report
Mmt4YaKg5u.exe