Edit tour

Windows Analysis Report
myTOrYevLI.exe

Overview

General Information

Sample name:	myTOrYevLI.exe renamed because original name is a hash value
Original sample name:	efb0bd87d4ee615b6892fcc83b234dff.exe
Analysis ID:	1581613
MD5:	efb0bd87d4ee615b6892fcc83b234dff
SHA1:	894a45c84d5a50db8d79653981d04cb4df7cc29c
SHA256:	1753c4e6332371b1a699ee865fa5496ca47b706cb41193d199a01eaadb955e4d
Tags:	exeuser-abuse_ch
Infos:

Detection

Phorpiex

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

Found evasive API chain (may stop execution after checking mutex)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for dropped file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

myTOrYevLI.exe (PID: 6228 cmdline: "C:\Users\user\Desktop\myTOrYevLI.exe" MD5: EFB0BD87D4EE615B6892FCC83B234DFF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
myTOrYevLI.exe	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.myTOrYevLI.exe.4d0000.0.unpack	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security
0.0.myTOrYevLI.exe.4d0000.0.unpack	JoeSecurity_Phorpiex_5	Yara detected Phorpiex	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\chrome.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: myTOrYevLI.exe

ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Joe Sandbox ML: detected

Phishing

Yara detected Phorpiex

Source: Yara match	File source: myTOrYevLI.exe, type: SAMPLE
Source: Yara match	File source: 0.2.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE

Source: myTOrYevLI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\myTOrYevLI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: myTOrYevLI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdbx, source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2D5000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4268799703.0000000007456000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAEB000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4313211542.0000000008279000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4247381323.0000000006CA8000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4521833127.000000000CA95000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2DF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2D5000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4268799703.0000000007456000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BC6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAEB000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4313211542.0000000008279000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAF3000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4247381323.0000000006CA8000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4521833127.000000000CA95000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4523221510.000000000CAB6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008B07000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C281000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2DF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAF3000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4523221510.000000000CAB6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2, source: myTOrYevLI.exe, 00000000.00000002.4122786977.0000000002B15000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D2980 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathMatchSpecW,PathCombineW,FindNextFileW,CloseHandle,

0_2_004D2980

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: VC_redist.x64.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_8a2edf16-6

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: myTOrYevLI.exe, type: SAMPLE
Source: Yara match	File source: 0.2.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe 9D9E11B8D4849891A49FA11EBD197D970BF647640B770E6A196C13C9E006FCF4
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe 2787FB2327241FC636EDD9D712C7D880006EED5916DCF9C507684F1EC4E0A4F0

Source: myTOrYevLI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\myTOrYevLI.exe

File created: C:\Users\user\AppData\Roaming\windrx.txt

Jump to behavior

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Mutant created: \Sessions\1\BaseNamedObjects\6436646754

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Command line argument: 6436646754

0_2_004D1090

Source: myTOrYevLI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: myTOrYevLI.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\myTOrYevLI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: myTOrYevLI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdbx, source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2D5000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4268799703.0000000007456000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAEB000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4313211542.0000000008279000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4247381323.0000000006CA8000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4521833127.000000000CA95000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2DF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2D5000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4268799703.0000000007456000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BC6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAEB000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4313211542.0000000008279000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAF3000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4247381323.0000000006CA8000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4521833127.000000000CA95000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4523221510.000000000CAB6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008B07000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C281000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: myTOrYevLI.exe, 00000000.00000002.4443173657.000000000B2DF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4401590868.000000000A37B000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4489330299.000000000C287000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4467238506.000000000BAF3000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4523221510.000000000CAB6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4359899792.00000000092E6000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4381723638.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4337387142.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, myTOrYevLI.exe, 00000000.00000002.4422571898.000000000AB47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2, source: myTOrYevLI.exe, 00000000.00000002.4122786977.0000000002B15000.00000004.00000020.00020000.00000000.sdmp

Source: myTOrYevLI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: myTOrYevLI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: myTOrYevLI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: myTOrYevLI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: myTOrYevLI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: initial sample

Static PE information: section where entry point is pointing to: .zero

Source: integrator.exe.0.dr	Static PE information: section name: .zero
Source: VC_redist.x64.exe.0.dr	Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.0.dr	Static PE information: section name: .zero
Source: chrome.exe.0.dr	Static PE information: section name: .zero

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D32E1 push ecx; ret

0_2_004D32F4

Source: C:\Users\user\Desktop\myTOrYevLI.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\myTOrYevLI.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\myTOrYevLI.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\myTOrYevLI.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to dropped file
Source: C:\Users\user\Desktop\myTOrYevLI.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-558
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-558

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Thread delayed: delay time: 216000000			Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Thread delayed: delay time: 216000000			Jump to behavior

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Window / User API: threadDelayed 1445			Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Window / User API: threadDelayed 8134			Jump to behavior

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\myTOrYevLI.exe TID: 6248	Thread sleep count: 1445 > 30	Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe TID: 6248	Thread sleep time: -312120000000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe TID: 6248	Thread sleep count: 8134 > 30	Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe TID: 6248	Thread sleep time: -1756944000000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D2980 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathMatchSpecW,PathCombineW,FindNextFileW,CloseHandle,

0_2_004D2980

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Thread delayed: delay time: 216000000			Jump to behavior
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Thread delayed: delay time: 216000000			Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D3418 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_004D3418

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D1DC0 mov eax, dword ptr fs:[00000030h]

0_2_004D1DC0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\myTOrYevLI.exe	Code function: 0_2_004D301D SetUnhandledExceptionFilter,		0_2_004D301D
Source: C:\Users\user\Desktop\myTOrYevLI.exe	Code function: 0_2_004D3418 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,		0_2_004D3418

Source: C:\Users\user\Desktop\myTOrYevLI.exe

Code function: 0_2_004D3348 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004D3348

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: myTOrYevLI.exe, type: SAMPLE
Source: Yara match	File source: 0.2.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.myTOrYevLI.exe.4d0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	122 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	122 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
myTOrYevLI.exe	45%	ReversingLabs	Win32.Ransomware.GandCrab

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	100%	Avira	W32/Infector.Gen
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\chrome.exe	100%	Avira	W32/Infector.Gen
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\chrome.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\chrome.exe	68%	ReversingLabs	Win32.Ransomware.GandCrab

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	VC_redist.x64.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581613
Start date and time:	2024-12-28 09:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	myTOrYevLI.exe renamed because original name is a hash value
Original Sample Name:	efb0bd87d4ee615b6892fcc83b234dff.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: myTOrYevLI.exe

Simulations

Behavior and APIs

Time	Type	Description
03:54:04	API Interceptor	9762779x Sleep call for process: myTOrYevLI.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	626wniisYq.exe	Get hash	malicious	Phorpiex	Browse
	td7aCkwbmN.exe	Get hash	malicious	Phorpiex	Browse
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	626wniisYq.exe	Get hash	malicious	Phorpiex	Browse
	td7aCkwbmN.exe	Get hash	malicious	Phorpiex	Browse

Created / dropped Files

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Download File

Process:	C:\Users\user\Desktop\myTOrYevLI.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4436200
Entropy (8bit):	6.567497127479377
Encrypted:	false
SSDEEP:	98304:3lkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pL:VkkCqaE68eV+0y8E6L
MD5:	6912BC3CB531D369558F9B55A145773B
SHA1:	4E2397CFA959CFDF9F7FF944BC1210DAF369D42A
SHA-256:	9D9E11B8D4849891A49FA11EBD197D970BF647640B770E6A196C13C9E006FCF4
SHA-512:	07CDCE5B6E204FEED048D4B38550AF78C22F12ACB335FD04C4349FE9456ECC627A5CFD61813931D0C43FAEE8A397B627B9992C16ED205F8688636CD5EF1E96E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Joe Sandbox View:	Filename: 626wniisYq.exe, Detection: malicious, Browse Filename: td7aCkwbmN.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L.................".... ....Z........C......`+...@...........................C..............................................=......p?..............RC..N....?.....<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@..B.zero.........C......RC................`........................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Download File

Process:	C:\Users\user\Desktop\myTOrYevLI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	654688
Entropy (8bit):	7.191321691914505
Encrypted:	false
SSDEEP:	12288:enMwHskY7gjcjhVIEhqgM7bWvcsi6aVUfIyaU40vy3W/ceKSHMsiFyY6XN:4MysZgjS1hqgSC/izkfJjymk4HM5yJ
MD5:	2E4F3FFE6E1B1ADAD701D7205CE379F1
SHA1:	03C0310CD0F7091AC4F9CF723B27C70B32C58135
SHA-256:	2787FB2327241FC636EDD9D712C7D880006EED5916DCF9C507684F1EC4E0A4F0
SHA-512:	7863E30C151B55164EFC584DD9E1F82087503B414FC68462237DAE03AD330FF2F7293D655DAA65BBBF3ABBD6606928D2D2E3B93710A2305EBA19F31E48CA9070
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: 626wniisYq.exe, Detection: malicious, Browse Filename: td7aCkwbmN.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L............................v.......p............@..........................}...........................................................;..........(...8(...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B.zero........p.........................`................................................................................................................

C:\Users\user\AppData\Local\Temp\chrome.exe

Download File

Process:	C:\Users\user\Desktop\myTOrYevLI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144896
Entropy (8bit):	6.793947225132544
Encrypted:	false
SSDEEP:	3072:PZLWfp2KkvL5kdnQrWLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHrC:hgkSdQ6mCtnRPF9cCGr/uH
MD5:	6CE46EB4C85D086F06BA00DD19B56A5C
SHA1:	DA45E3798D2581335C770A1EB3DF5EA2B6930D39
SHA-256:	0BA09F85F26EB3E7B08C6DAAB34D160BDCC3E0898BD67C5D57635DE8B4EC23C4
SHA-512:	109C5E563837B9A72C0455FCC7EC7B24CFFADF1EF4DAACD4C6B8B253FF2A16D0F458105AA46AE773B3A098DAE05129DA51B18F91224837BA84D0CD28505BCE5D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.T6...6...6...}...<...}.......}..."...............'......."...}...1...6...T.......7.....:.7...6.R.7.......7...Rich6...........PE..L......................#.....d.......`............@..........................m...............................................;..P....p.. ....................P......./..p............................/..@...............P............................text...3........................... ..`.rdata...c.......d..................@..@.data........P.......2..............@....rsrc... ....p.......<..............@..@.reloc.......P......................@..B.zero........`.......&.................`................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.878403133290268
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	myTOrYevLI.exe
File size:	20'992 bytes
MD5:	efb0bd87d4ee615b6892fcc83b234dff
SHA1:	894a45c84d5a50db8d79653981d04cb4df7cc29c
SHA256:	1753c4e6332371b1a699ee865fa5496ca47b706cb41193d199a01eaadb955e4d
SHA512:	d8af2a2f3f7506941de013864942dfb473c3a93659ccb95a06bbd13be803af91ad0661d7e87592422bdf854424cfb6afad11609088a987a27247d881b931ac67
SSDEEP:	384:I+0WLc01PhLACdSUk3/ibYTJ4JVB00tySVRe:n5PhUCIUPYAvtg
TLSH:	4A921907A956939BE8B2287053B32E25647A7E32231D84CFEF8009791674DD4BB3735A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2H..S&..S&..S&..+...S&..+...S&..+...S&...]..S&..S'..S&..+...S&..+...S&.Rich.S&.................PE..L.....og.................&.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402fd1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676F03F8 [Fri Dec 27 19:46:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	26d721f1fff47d0e5f11f2aba744001c

Entrypoint Preview

Instruction
call 00007F61107D4C27h
jmp 00007F61107D45EBh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F61107D48DCh
cmp dword ptr [eax+10h], 03h
jne 00007F61107D48D6h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F61107D48C7h
cmp eax, 19930521h
je 00007F61107D48C0h
cmp eax, 19930522h
je 00007F61107D48B9h
cmp eax, 01994000h
jne 00007F61107D48B7h
call 00007F61107D4C7Ch
xor eax, eax
pop ebp
retn 0004h
push 00402FDBh
call dword ptr [00404034h]
xor eax, eax
ret
int3
jmp dword ptr [0040410Ch]
push 00000014h
push 00405500h
call 00007F61107D4B13h
push dword ptr [00406384h]
mov esi, dword ptr [004040B4h]
call esi
pop ecx
mov dword ptr [ebp-1Ch], eax
cmp eax, FFFFFFFFh
jne 00007F61107D48BEh
push dword ptr [ebp+08h]
call dword ptr [004040B8h]
pop ecx
jmp 00007F61107D4919h
push 00000008h
call 00007F61107D4C3Dh
pop ecx
and dword ptr [ebp-04h], 00000000h
push dword ptr [00406384h]
call esi
mov dword ptr [ebp-1Ch], eax
push dword ptr [00406380h]
call esi
pop ecx
pop ecx
mov dword ptr [ebp-20h], eax
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
push dword ptr [ebp+08h]
mov esi, dword ptr [004040D0h]
call esi

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x553c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x204	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5478	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2524	0x2600	868d9060769699de804fdd0fb9af69cd	False	0.5326891447368421	data	6.131895732766902	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x1c14	0x1e00	575ce771da16de5c302d6458c607c5eb	False	0.43580729166666665	data	5.298022051582786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x38c	0x200	202a0f14ba4a024e6a35d5895669b769	False	0.060546875	data	0.35275948821577235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0x2b0	0x400	58a3970c5ba6bee8bcaf23ee7343f378	False	0.3623046875	data	5.190213072505898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x288	0x400	695b2e74cc6b6d6233b7005b7ca7b3f4	False	0.5	data	3.9846074464309296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7058	0x256	ASCII text, with CRLF line terminators	English	United States	0.5100334448160535

Imports

DLL	Import
SHLWAPI.dll	PathFileExistsW, StrCmpNW, PathCombineW, PathMatchSpecW
MSVCR90.dll	_crt_debugger_hook, _controlfp_s, _invoke_watson, _except_handler4_common, _decode_pointer, _onexit, _lock, __dllonexit, _unlock, ?terminate@@YAXXZ, __set_app_type, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, wcsstr, memset, memcpy, wcscat
KERNEL32.dll	IsDebuggerPresent, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, ExitThread, FindFirstFileW, lstrcmpW, FindNextFileW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, GetFileSize, CreateFileMappingA, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, Sleep, CreateMutexA, GetLastError, ExitProcess, CloseHandle, CreateFileW, ExpandEnvironmentStringsW, CreateThread
USER32.dll	CharLowerW
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegCloseKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:53:57
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\myTOrYevLI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\myTOrYevLI.exe"
Imagebase:	0x4d0000
File size:	20'992 bytes
MD5 hash:	EFB0BD87D4EE615B6892FCC83B234DFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.3%
Total number of Nodes:	136
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004D2980 Relevance: 56.2, APIs: 12, Strings: 20, Instructions: 162
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 004D29F2
memset.MSVCR90 ref: 004D2A08
PathCombineW.SHLWAPI(?,perflogs,004D5418), ref: 004D2A20
FindFirstFileW.KERNELBASE(?,?), ref: 004D2A34
lstrcmpW.KERNEL32(?,004D541C), ref: 004D2A64
lstrcmpW.KERNEL32(?,004D5420), ref: 004D2A7A
PathCombineW.SHLWAPI(?,perflogs,?), ref: 004D2A96
CharLowerW.USER32(?), ref: 004D2ACA
PathMatchSpecW.SHLWAPI(?,*.exe), ref: 004D2B38
PathCombineW.SHLWAPI(?,perflogs,?), ref: 004D2B58
FindNextFileW.KERNELBASE(000000FF,?), ref: 004D2BF3
CloseHandle.KERNELBASE(000000FF), ref: 004D2C08

Strings

default, xrefs: 004D29C1
wup, xrefs: 004D2B8E
DriveSec, xrefs: 004D2BBE
tSM, xrefs: 004D29AC
0SM, xrefs: 004D2997
@SM, xrefs: 004D299E
VolDri, xrefs: 004D2BA6
config, xrefs: 004D29CF
perflogs, xrefs: 004D2A18, 004D2A8E, 004D2B50
*.exe, xrefs: 004D2B2C
XSM, xrefs: 004D29A5
$SM, xrefs: 004D2990
SM, xrefs: 004D29D6
win, xrefs: 004D2B76
application data, xrefs: 004D29B3
sys, xrefs: 004D2B5E
intel, xrefs: 004D29BA
msocache, xrefs: 004D29C8
$recycle.bin, xrefs: 004D29DD
windows, xrefs: 004D2989, 004D2AFE

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: Path$Combine$FileFindlstrcmpmemset$CharCloseFirstHandleLowerMatchNextSpec
String ID: $SM$$recycle.bin$*.exe$0SM$@SM$DriveSec$VolDri$XSM$application data$config$default$intel$msocache$perflogs$sys$tSM$win$windows$wup$SM
API String ID: 1416314416-2567783100
Opcode ID: 1b061ce344f6e3f84d205381b40f98f40b43233a7d1bdad20e8d7d0d6b48aca1
Instruction ID: 64318bedc5e96fcadd59958db5973c7556cfb33bf7312be333c144bab61f6860
Opcode Fuzzy Hash: 1b061ce344f6e3f84d205381b40f98f40b43233a7d1bdad20e8d7d0d6b48aca1
Instruction Fuzzy Hash: 706187B19002189BCF20DF60DD99BDE7774AF65705F00459BE609A6340EBF89A88CF5D

Function 004D1090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 31
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 004D1099
CreateMutexA.KERNELBASE(00000000,00000000,6436646754), ref: 004D10A8
GetLastError.KERNEL32 ref: 004D10B1
ExitProcess.KERNEL32 ref: 004D10C0
Sleep.KERNELBASE(00001388), ref: 004D10D7
CreateThread.KERNELBASE(00000000,00000000,Function_00002C40,00000000,00000000,00000000), ref: 004D10EC
Sleep.KERNELBASE(0CDFE600), ref: 004D10F7

Strings

6436646754, xrefs: 004D109F

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: Sleep$Create$ErrorExitLastMutexProcessThread
String ID: 6436646754
API String ID: 302559243-3290978236
Opcode ID: 7b7655622f3c25b15f8af73fd0c9f1b6979f9691a34ee141dee26639332a21b0
Instruction ID: bef623855fba5a96d7c2166c83f6f31601e954b717c3fde872fb35192e63da44
Opcode Fuzzy Hash: 7b7655622f3c25b15f8af73fd0c9f1b6979f9691a34ee141dee26639332a21b0
Instruction Fuzzy Hash: C3F01230685300F7E7223BE1AE1FF193B68AB40B12F204423F705E96E0DAF464404A2D

Function 004D24E0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 226
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(+M,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004D24FC
GetFileSize.KERNEL32(000000FF,00000000), ref: 004D2518

Strings

+M, xrefs: 004D26B6, 004D26FF, 004D2773, 004D25D2, 004D25F8, 004D2714, 004D263D
.zero, xrefs: 004D26FA
+M, xrefs: 004D24F8, 004D24FB

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: File$CreateSize
String ID: .zero$+M$+M
API String ID: 2791376181-4133060555
Opcode ID: f2198f0e8ba2204c55b0eaa2421a1c7ec5fd172bb800718f06ee6aa08fa11e70
Instruction ID: c53d1b4a317cfb4a6aff5898e225b5c517f7b026436343d54e98df232e369d6c
Opcode Fuzzy Hash: f2198f0e8ba2204c55b0eaa2421a1c7ec5fd172bb800718f06ee6aa08fa11e70
Instruction Fuzzy Hash: EFA11E74E00209EFCB14CFA4D9A5BEEB7B1BF58700F20815AE6117B390D778A941DB68

Function 004D1000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%appdata%,?,00000208), ref: 004D101A
wcscat.MSVCR90 ref: 004D102C
PathFileExistsW.KERNELBASE(?), ref: 004D103B
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 004D1061
CloseHandle.KERNELBASE(000000FF), ref: 004D107D

Strings

\windrx.txt, xrefs: 004D1020
%appdata%, xrefs: 004D1015

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswcscat
String ID: %appdata%$\windrx.txt
API String ID: 3951416151-532699497
Opcode ID: f01110a7353d72c234ff6efa96e71dfc763d4213a79207adc99e28a717817259
Instruction ID: 33f118a6802b15cdd156b0a56e3322bdd6e5bc0f6124118cfaa641e5a3d5ae66
Opcode Fuzzy Hash: f01110a7353d72c234ff6efa96e71dfc763d4213a79207adc99e28a717817259
Instruction Fuzzy Hash: DB01F97490031477DB30AB609C0EFDA33385745700F1003A7B768A52D2DA7859C58F94

Function 004D28C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 004D28C6
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004D2914
RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004D2941
RegCloseKey.KERNELBASE(?), ref: 004D295E

Strings

NoDrives, xrefs: 004D2938
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004D2907

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 2a10fbd0a95f285012950181298e26e60aff3e213762dbe0389558cfa82754e1
Instruction ID: 60e4dde68b6ee56ab6ec137a09b87d0cdafad3892942dbb688d3dd0a6725fa1c
Opcode Fuzzy Hash: 2a10fbd0a95f285012950181298e26e60aff3e213762dbe0389558cfa82754e1
Instruction Fuzzy Hash: 031129B0E0020A9BDB10CFD0C959BEEBBB4FB44305F10815AE611B7280D7B86A45CF99

Function 004D2840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNELBASE(004D281F), ref: 004D284D
QueryDosDeviceW.KERNELBASE(004D281F,?,00000208), ref: 004D288C
StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 004D28A4

Strings

\??\, xrefs: 004D2898

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: b5ff9a50623452d478e5a4fab8e335d1d138704bd496b0dd19bfaa50c5a0ee00
Instruction ID: 3780458d6e363b462b14d9c8637beff96a244e7daee75a0ca9ebcde69ad9e693
Opcode Fuzzy Hash: b5ff9a50623452d478e5a4fab8e335d1d138704bd496b0dd19bfaa50c5a0ee00
Instruction Fuzzy Hash: FB01FFB094020CEBDB20DF65CD59AD977B4AB58705F0082ABEA04A7340D6789AC9DF9C

Function 004D2C40 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D28C0: GetLogicalDrives.KERNELBASE ref: 004D28C6
Part of subcall function 004D28C0: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004D2914
Part of subcall function 004D28C0: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004D2941
Part of subcall function 004D28C0: RegCloseKey.KERNELBASE(?), ref: 004D295E

ExitThread.KERNEL32 ref: 004D2CA1

Part of subcall function 004D27E0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004D2833

Part of subcall function 004D2980: memset.MSVCR90 ref: 004D29F2
Part of subcall function 004D2980: memset.MSVCR90 ref: 004D2A08
Part of subcall function 004D2980: PathCombineW.SHLWAPI(?,perflogs,004D5418), ref: 004D2A20
Part of subcall function 004D2980: FindFirstFileW.KERNELBASE(?,?), ref: 004D2A34
Part of subcall function 004D2980: lstrcmpW.KERNEL32(?,004D541C), ref: 004D2A64
Part of subcall function 004D2980: lstrcmpW.KERNEL32(?,004D5420), ref: 004D2A7A
Part of subcall function 004D2980: PathCombineW.SHLWAPI(?,perflogs,?), ref: 004D2A96
Part of subcall function 004D2980: FindNextFileW.KERNELBASE(000000FF,?), ref: 004D2BF3
Part of subcall function 004D2980: CloseHandle.KERNELBASE(000000FF), ref: 004D2C08

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: CloseCombineFileFindPathlstrcmpmemset$DrivesExitFirstHandleLogicalNextOpenQueryThreadValuelstrcpy
String ID:
API String ID: 717983626-0
Opcode ID: d3b3a817ec8d8d2453e7838672fc796880fbf116dcb2bb469f6c1ad29e226077
Instruction ID: f8fd05d66f89af91306c70f66b510bd2484ae6625818ba3af766a161286cc17a
Opcode Fuzzy Hash: d3b3a817ec8d8d2453e7838672fc796880fbf116dcb2bb469f6c1ad29e226077
Instruction Fuzzy Hash: 160181B4D14208EBCB00EFD4CA569DEB7B0BF59705F1040ABD50173301E2B99E44DB6A

Function 004D27E0 Relevance: 1.3, APIs: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D2840: GetDriveTypeW.KERNELBASE(004D281F), ref: 004D284D

lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 004D2833

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: 8b6582825f11003521376742a890b6486abff9de21fd3d2bb92a227ceb78056d
Instruction ID: 6f7921a6e271c9081dc590218c99ce95a51a824af88edc7b52824568a991fb20
Opcode Fuzzy Hash: 8b6582825f11003521376742a890b6486abff9de21fd3d2bb92a227ceb78056d
Instruction Fuzzy Hash: 46F06D71D00248FBDB00EFA4D55579EB7B4EF44304F00C1AAE8159B340E279AB09DB49

Non-executed Functions

Function 004D301D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00002FDB), ref: 004D3022

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1395367fa4ebc113d030f80c36929a58cea6698d172fb90aa52cecbb1bdd34e2
Instruction ID: 740aa89d895485acfa4d95e21b737b2a1d9b3c622baab8e29c0755a942b0f143
Opcode Fuzzy Hash: 1395367fa4ebc113d030f80c36929a58cea6698d172fb90aa52cecbb1bdd34e2
Instruction Fuzzy Hash: 4C900270253100474B011B709E1D6052AF05BA87527520867E201E8154DAA441406559

Function 004D1DC0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495

Function 004D2120 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCR90(?,004D4198,000010D0,00000000,.zero,000010D0,60000000), ref: 004D220B

Strings

F&M, xrefs: 004D2278
F&M, xrefs: 004D2126, 004D21A4
.zero, xrefs: 004D21D1

Memory Dump Source

Source File: 00000000.00000002.4120844265.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.4120826165.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120859061.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4120873284.00000000004D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_myTOrYevLI.jbxd

Similarity

API ID: memcpy
String ID: .zero$F&M$F&M
API String ID: 3510742995-1676765398
Opcode ID: 187ab56c328f634aed32698944b4ea408994909bf5441b0a0dedcc87721ae4c8
Instruction ID: a26b5b105e074d5d66ab26f6e3759c27bb1d3d89424a6d3d515d265b9e3906fb
Opcode Fuzzy Hash: 187ab56c328f634aed32698944b4ea408994909bf5441b0a0dedcc87721ae4c8
Instruction Fuzzy Hash: A551DA74D0010ADFCB04CF98C590AEEBBB1FF98314F24815AE815AB355D775A942CFA5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report myTOrYevLI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

C:\Users\user\AppData\Local\Temp\chrome.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
myTOrYevLI.exe

Function 004D2980 Relevance: 56.2, APIs: 12, Strings: 20, Instructions: 162
filestringCOMMON

Function 004D1090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 31
sleepsynchronizationthreadCOMMON

Function 004D24E0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 226
fileCOMMON

Function 004D1000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
fileCOMMON

Function 004D28C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Function 004D2840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 004D2C40 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Function 004D27E0 Relevance: 1.3, APIs: 1, Instructions: 32
stringCOMMON

Function 004D2120 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106
COMMON