Edit tour

Windows Analysis Report
oe8KMVNFEG.exe

Overview

General Information

Sample name:	oe8KMVNFEG.exe renamed because original name is a hash value
Original sample name:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9.exe
Analysis ID:	1588612
MD5:	e10abad4b0666e5acf257e4603453975
SHA1:	c5b02e62e6ad90541778f1b34ee9fc02f8e8d9b9
SHA256:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

oe8KMVNFEG.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\oe8KMVNFEG.exe" MD5: E10ABAD4B0666E5ACF257E4603453975)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oe8KMVNFEG.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: oe8KMVNFEG.exe	ReversingLabs: Detection: 60%
Source: oe8KMVNFEG.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: oe8KMVNFEG.exe

Joe Sandbox ML: detected

Source: oe8KMVNFEG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oe8KMVNFEG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.9.191.182 45.9.191.182

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xianggrhen.com

Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: oe8KMVNFEG.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002831000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.00000000027A5000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Ekaopt.mp4
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Ekaopt.mp4l
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002864000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002858000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000283A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002870000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002878000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000285C000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comD
Source: oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comd
Source: oe8KMVNFEG.exe	String found in binary or memory: https://www.paessler.com0

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_00C7E5F4	0_2_00C7E5F4
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_00C7F4E8	0_2_00C7F4E8
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_00C7F4F8	0_2_00C7F4F8

Source: oe8KMVNFEG.exe

Static PE information: invalid certificate

Source: oe8KMVNFEG.exe, 00000000.00000000.1335098887.00000000003EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEzwjwazt.exe vs oe8KMVNFEG.exe
Source: oe8KMVNFEG.exe, 00000000.00000002.3200479146.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oe8KMVNFEG.exe
Source: oe8KMVNFEG.exe	Binary or memory string: OriginalFilenameEzwjwazt.exe vs oe8KMVNFEG.exe

Source: oe8KMVNFEG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Mutant created: NULL

Source: oe8KMVNFEG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oe8KMVNFEG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oe8KMVNFEG.exe	ReversingLabs: Detection: 60%
Source: oe8KMVNFEG.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: oe8KMVNFEG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oe8KMVNFEG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_00C7EFC4 pushad ; retf	0_2_00C7EFC5
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_00C7EFC0 pushfd ; retf	0_2_00C7EFC1
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_04CA04F0 pushad ; retf	0_2_04CA04FD
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_04CA1178 push esp; ret	0_2_04CA1186
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_04CA1392 push ebx; ret	0_2_04CA1393

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: 4750000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Window / User API: threadDelayed 711			Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Window / User API: threadDelayed 1361			Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7848	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7848	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7880	Thread sleep count: 711 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7880	Thread sleep count: 1361 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7848	Thread sleep time: -85750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7848	Thread sleep time: -85562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 85750	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 85562	Jump to behavior

Source: oe8KMVNFEG.exe, 00000000.00000002.3200479146.00000000009C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Users\user\Desktop\oe8KMVNFEG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oe8KMVNFEG.exe	61%	ReversingLabs	Win32.Trojan.Jalapeno
oe8KMVNFEG.exe	64%	Virustotal		Browse
oe8KMVNFEG.exe	100%	Avira	HEUR/AGEN.1304477
oe8KMVNFEG.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://xianggrhen.com	0%	Avira URL Cloud	safe
http://xianggrhen.com/salad/Ekaopt.mp4	0%	Avira URL Cloud	safe
http://xianggrhen.comD	0%	Avira URL Cloud	safe
https://www.paessler.com0	0%	Avira URL Cloud	safe
http://xianggrhen.com/salad/Ekaopt.mp4l	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xianggrhen.com	45.9.191.182	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com/salad/Ekaopt.mp4	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com	oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002831000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xianggrhen.com/salad/Ekaopt.mp4l	oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002819000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.comD	oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002864000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002858000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000283A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002870000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002878000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000285C000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002860000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.comd	oe8KMVNFEG.exe, 00000000.00000002.3201152331.000000000286A000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.3201152331.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.paessler.com0	oe8KMVNFEG.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.9.191.182	xianggrhen.com	Germany		47583	AS-HOSTINGERLT	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588612
Start date and time:	2025-01-11 03:15:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oe8KMVNFEG.exe renamed because original name is a hash value
Original Sample Name:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9.exe
Detection:	MAL
Classification:	mal64.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 15 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.9.191.182	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Netnoyfq.mp3
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Emmaj.vdf
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Vuglyxyuvio.pdf
	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/camp/Reibbfkkyy.dat
	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/desk/Tbddfcris.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xianggrhen.com	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	45.9.191.182

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-HOSTINGERLT	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	92.249.45.121
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	92.249.45.121

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.717986822258666
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oe8KMVNFEG.exe
File size:	355'824 bytes
MD5:	e10abad4b0666e5acf257e4603453975
SHA1:	c5b02e62e6ad90541778f1b34ee9fc02f8e8d9b9
SHA256:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9
SHA512:	845f21d7e482cc5bdf226837e066b44db9a968cc20b5d36862ac2658c94ed7de11eca4163d8b324bd1dda8d0626cebf0b31316c97bf6901d6fe82117bc6b930a
SSDEEP:	6144:5PfmPMXk/cCRLxPJ2aQtr7beeozoI9QAjK0N:5TXk0C9eRwvn
TLSH:	BD74C3F4DFF4C024C68861F5E01D4624D2E0A9A9DF728E06AAA753AC15A27DCDDCC1E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Og.................j............... ........@.. ....................................`................................

File Icon


Icon Hash:	1838d371e870710e

Static PE Info

General

Entrypoint:	0x4288ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FE587 [Wed Dec 4 05:15:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/02/2022 01:00:00 13/02/2025 00:59:59
Subject Chain	CN=Paessler AG, O=Paessler AG, L=N\xfcrnberg, C=DE
Version:	3
Thumbprint MD5:	234FA1A9133E1A346EA15776D9F6CCDF
Thumbprint SHA-1:	67F655F2440F1D2C453963909848E352D0EA89B2
Thumbprint SHA-256:	977E514E290BF4040604678E5E6615183CB8B77EC24D3A59B3C6794DD03CBC8E
Serial:	0CB1CD6F7F1F8923E738064FB0E9FECA

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28880	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x2d200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54000	0x2df0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x268d4	0x26a00	bac9665143180cc6fff9248b01f10d3b	False	0.43673518406148865	data	6.045797265471035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x2d200	0x2d200	903029ae5522937eeeccf4d8202b8d14	False	0.24765192174515235	data	4.541245382679845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	7b8c32915a3a4ddef936e6c3fdb68033	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2a2b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.549645390070922
RT_ICON	0x2a718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	0.39549180327868855
RT_ICON	0x2b0a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.32082551594746717
RT_ICON	0x2c148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.23443983402489627
RT_ICON	0x2e6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.19845299952763346
RT_ICON	0x32918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m	0.17841959334565619
RT_ICON	0x37da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 11811 x 11811 px/m	0.14746689089762455
RT_ICON	0x41248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.1194398438424228
RT_ICON	0x51a70	0x4dc9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.99598252397931
RT_GROUP_ICON	0x5683c	0x84	data	0.7272727272727273
RT_VERSION	0x568c0	0x5a8	data	0.30455801104972374
RT_MANIFEST	0x56e68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:16:27.800849915 CET	49703	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:27.805778027 CET	80	49703	45.9.191.182	192.168.2.7
Jan 11, 2025 03:16:27.805856943 CET	49703	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:27.806723118 CET	49703	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:27.811608076 CET	80	49703	45.9.191.182	192.168.2.7
Jan 11, 2025 03:16:49.178898096 CET	80	49703	45.9.191.182	192.168.2.7
Jan 11, 2025 03:16:49.179052114 CET	49703	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:49.189204931 CET	49703	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:49.189860106 CET	49833	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:49.194005013 CET	80	49703	45.9.191.182	192.168.2.7
Jan 11, 2025 03:16:49.194734097 CET	80	49833	45.9.191.182	192.168.2.7
Jan 11, 2025 03:16:49.194828987 CET	49833	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:49.195064068 CET	49833	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:16:49.199851036 CET	80	49833	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:10.575511932 CET	80	49833	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:10.575586081 CET	49833	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:10.576800108 CET	49833	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:10.583318949 CET	80	49833	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:10.586653948 CET	49973	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:10.593082905 CET	80	49973	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:10.593216896 CET	49973	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:10.593487024 CET	49973	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:10.599849939 CET	80	49973	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:32.008014917 CET	80	49973	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:32.008095980 CET	49973	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:32.053456068 CET	49973	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:32.058274984 CET	80	49973	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:32.063805103 CET	49975	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:32.068625927 CET	80	49975	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:32.068720102 CET	49975	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:32.078267097 CET	49975	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:32.083028078 CET	80	49975	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:53.464746952 CET	80	49975	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:53.465022087 CET	49975	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:53.466089010 CET	49975	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:53.468044996 CET	49977	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:53.470909119 CET	80	49975	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:53.472876072 CET	80	49977	45.9.191.182	192.168.2.7
Jan 11, 2025 03:17:53.472954035 CET	49977	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:53.473114967 CET	49977	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:17:53.477910042 CET	80	49977	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:14.889580965 CET	80	49977	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:14.889695883 CET	49977	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:14.890753984 CET	49977	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:14.891458035 CET	49978	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:14.895575047 CET	80	49977	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:14.896372080 CET	80	49978	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:14.896563053 CET	49978	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:14.896693945 CET	49978	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:14.901587963 CET	80	49978	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:36.275034904 CET	80	49978	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:36.275202990 CET	49978	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:36.277177095 CET	49978	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:36.280663013 CET	49979	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:36.282068014 CET	80	49978	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:36.285599947 CET	80	49979	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:36.285707951 CET	49979	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:36.285893917 CET	49979	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:36.290714025 CET	80	49979	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:57.650383949 CET	80	49979	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:57.650557995 CET	49979	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:57.651608944 CET	49979	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:57.652436018 CET	49980	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:57.656429052 CET	80	49979	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:57.657252073 CET	80	49980	45.9.191.182	192.168.2.7
Jan 11, 2025 03:18:57.657347918 CET	49980	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:57.657597065 CET	49980	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:18:57.662317038 CET	80	49980	45.9.191.182	192.168.2.7
Jan 11, 2025 03:19:19.046072960 CET	80	49980	45.9.191.182	192.168.2.7
Jan 11, 2025 03:19:19.046318054 CET	49980	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:19:19.047158003 CET	49980	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:19:19.049257040 CET	49981	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:19:19.051935911 CET	80	49980	45.9.191.182	192.168.2.7
Jan 11, 2025 03:19:19.054070950 CET	80	49981	45.9.191.182	192.168.2.7
Jan 11, 2025 03:19:19.054162979 CET	49981	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:19:19.054394960 CET	49981	80	192.168.2.7	45.9.191.182
Jan 11, 2025 03:19:19.076916933 CET	80	49981	45.9.191.182	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:16:27.777818918 CET	62249	53	192.168.2.7	1.1.1.1
Jan 11, 2025 03:16:27.790286064 CET	53	62249	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:16:27.777818918 CET	192.168.2.7	1.1.1.1	0xa4c	Standard query (0)	xianggrhen.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:16:27.790286064 CET	1.1.1.1	192.168.2.7	0xa4c	No error (0)	xianggrhen.com		45.9.191.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xianggrhen.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:16:27.806723118 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49833	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:16:49.195064068 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49973	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:17:10.593487024 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49975	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:17:32.078267097 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49977	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:17:53.473114967 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49978	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:18:14.896693945 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49979	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:18:36.285893917 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49980	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:18:57.657597065 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49981	45.9.191.182	80	7772	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:19:19.054394960 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: oe8KMVNFEG.exePID: 7772, Parent PID: 4056

General

Target ID:	0
Start time:	21:16:26
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\oe8KMVNFEG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oe8KMVNFEG.exe"
Imagebase:	0x3c0000
File size:	355'824 bytes
MD5 hash:	E10ABAD4B0666E5ACF257E4603453975
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: oe8KMVNFEG.exePID: 7772, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	100
Total number of Limit Nodes:	5

Executed Functions

Function 00C7CB08 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C7CB96
GetCurrentThread.KERNEL32 ref: 00C7CBD3
GetCurrentProcess.KERNEL32 ref: 00C7CC10
GetCurrentThreadId.KERNEL32 ref: 00C7CC69

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1d3020976cd2170fce822670b06add7b3e937200f310199d3ccbcacba8170795
Instruction ID: 80b9f55cfff64466ead0d52ae28a4ae0c581acee2d380e1cbfb42efc298665b8
Opcode Fuzzy Hash: 1d3020976cd2170fce822670b06add7b3e937200f310199d3ccbcacba8170795
Instruction Fuzzy Hash: 9A5166B1901749CFEB14DFA9D588B9EBBF1EB48300F24C059E019AB2A1D774A944CB66

Function 00C7CB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C7CB96
GetCurrentThread.KERNEL32 ref: 00C7CBD3
GetCurrentProcess.KERNEL32 ref: 00C7CC10
GetCurrentThreadId.KERNEL32 ref: 00C7CC69

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4d15e5c820055fca9f82de939b0635065e187cc0480f1b3fc46bd67ee81bcad1
Instruction ID: ba50e21fe503a79484cd2318d066c36dbea718f0e5c06c6da26d3ad3353b1405
Opcode Fuzzy Hash: 4d15e5c820055fca9f82de939b0635065e187cc0480f1b3fc46bd67ee81bcad1
Instruction Fuzzy Hash: 475136B0900709CFEB14DFAAD588B9EBBF1EB48314F24C059E419A7390D774A944CF66

Function 00C7A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C7A6DE

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6eac1f6ec692511a196c97db032c5df63007bd84291df89fa0f4df8d988a5f45
Instruction ID: 50252602c498dc8d14db0482fbcf443cc5e204215f74680308dcb3185d6141d3
Opcode Fuzzy Hash: 6eac1f6ec692511a196c97db032c5df63007bd84291df89fa0f4df8d988a5f45
Instruction Fuzzy Hash: A9813570A00B058FD764DF29D44575ABBF2FF88304F008A2EE49AD7A50DB75E945CB92

Function 04CA0F64 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04CA1082

Memory Dump Source

Source File: 00000000.00000002.3201989820.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_oe8KMVNFEG.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f99e4a2d67c952e9caeebf53b0b3291de916bd5a3d4816d4955e7842f80815c4
Instruction ID: 013074f75420530066997ad8dffcce4db3fe5393028ebb860efb144a93a762c9
Opcode Fuzzy Hash: f99e4a2d67c952e9caeebf53b0b3291de916bd5a3d4816d4955e7842f80815c4
Instruction Fuzzy Hash: AE51C0B1D00359DFDB14CF9AC884ADEBBB6FF48314F24812AE819AB250D775A941CF90

Function 04CA0F70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04CA1082

Memory Dump Source

Source File: 00000000.00000002.3201989820.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_oe8KMVNFEG.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7547e1b6695cee30eac6b1e55183d5227960fe8ed19133c4dd2828a2a6a57be9
Instruction ID: 32f8fde0ca9f616625a556a32f3527f6f60c1d132c20a15514e29e3094204d80
Opcode Fuzzy Hash: 7547e1b6695cee30eac6b1e55183d5227960fe8ed19133c4dd2828a2a6a57be9
Instruction Fuzzy Hash: 9D41C0B1D00359DFDB14CF9AC884ADEBBB6FF48314F24812AE818AB250D775A945CF90

Function 04CA1E84 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04CA3771

Memory Dump Source

Source File: 00000000.00000002.3201989820.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_oe8KMVNFEG.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dc5c99615809c119c1af45f19de82fa5554eae38a412d73c668cd8f185c354df
Instruction ID: d94d964048c3231eaaa34a9136da6817749e4fa73eee6c26c3619af5d1804de4
Opcode Fuzzy Hash: dc5c99615809c119c1af45f19de82fa5554eae38a412d73c668cd8f185c354df
Instruction Fuzzy Hash: CB413AB9900345DFDB14CF99C488BAABBF6FB88314F24C459D819AB321D334A841CFA5

Function 00C7CD60 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C7CDE7

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 289686efb21409e1da135b73c45a01bc348e4fd1362040ff391249a9a0816593
Instruction ID: 21b69dc812fd1934a63a886a7b99a1af0c16847b9716adf2af20ff09576aa7ee
Opcode Fuzzy Hash: 289686efb21409e1da135b73c45a01bc348e4fd1362040ff391249a9a0816593
Instruction Fuzzy Hash: 1421B3B5D00249DFDB10CF9AD984ADEBBF9EB48310F14841AE918A7350D379A944CFA5

Function 00C7CD58 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C7CDE7

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 151e9f38d7c8e754c53cf43ebc16a9eabc82ff30ba9e12457680d119f8af96aa
Instruction ID: 2e2ce40082cb4685ced26e4ec907891f76075183a7bf525cfa77f3ce9d42a693
Opcode Fuzzy Hash: 151e9f38d7c8e754c53cf43ebc16a9eabc82ff30ba9e12457680d119f8af96aa
Instruction Fuzzy Hash: F421E2B5D00259DFDB10CFA9D580ADEBBF5FB48310F14802AE918A7350D378A954CFA5

Function 00C7A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C7A6DE

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a26aeab621cebbdd2867df4c626879e1885d9c6b1acc50fcf8bf13d4eb9ad0f
Instruction ID: 8d3bfe53efbba2d7decb0f306718b24222c2ce75afbd4c1991611b25176f15bb
Opcode Fuzzy Hash: 6a26aeab621cebbdd2867df4c626879e1885d9c6b1acc50fcf8bf13d4eb9ad0f
Instruction Fuzzy Hash: 2011E0B6C00649CFDB20DF9AC444BDEFBF8EB88314F15841AD829A7610C379A545CFA5

Function 0090D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200351593.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bca8d6794c91525bba45b328a8f99b4f0fd3afeebbacbd899dfbff2b16b6356
Instruction ID: caf057ab7ef63e0c49cfb5297ed89e406b99132f4ed8525bd78166d843bb2146
Opcode Fuzzy Hash: 4bca8d6794c91525bba45b328a8f99b4f0fd3afeebbacbd899dfbff2b16b6356
Instruction Fuzzy Hash: 38210672504200DFDB15DF54D9C0B26BF65FB94318F208569ED090B29AC33AD856CAA2

Function 0091D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200379024.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6952fa91021334f60e93173944dfd48a8c810aa9f26a7ca310fa8ec5497669
Instruction ID: f1e244f559028cf5045ce4aafa6292a1ddce128abc4d9962539507ad4601954d
Opcode Fuzzy Hash: ed6952fa91021334f60e93173944dfd48a8c810aa9f26a7ca310fa8ec5497669
Instruction Fuzzy Hash: 2721F875604308DFDB14DF14D5C4B56BB65FB88314F20C96DD8094B296C33AD887CA62

Function 0091D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200379024.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ccedf2634f70b6688f4fa1b67d69d983e16e063743c38167f93a55659c7926
Instruction ID: 497f3ac316ed024913ddcefde960bc60080863b7f051ab8c7778aa07b56be626
Opcode Fuzzy Hash: 37ccedf2634f70b6688f4fa1b67d69d983e16e063743c38167f93a55659c7926
Instruction Fuzzy Hash: 1A21CF755093C48FDB02CF20D990715BF71EB4A314F28C5EAD8498F6A3C33A984ACB62

Function 0090D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200351593.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: fe7326b6a9ff8fb42b01e7f43cd685c87d22e34a1b6171cfcffb137431f7db85
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: B611E1B2804240DFCB16CF44D9C0B16BF71FB84324F24C5A9ED094B69AC336D856CBA2

Function 0090D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200351593.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f80d9997116992fa3814cd2efc0d57c441306a772db4120a2ab080b3ee2d6de
Instruction ID: 520c7659bb475771a2dcda4be7b817a5149a4acc19e27b893f519701ef8bbe0e
Opcode Fuzzy Hash: 4f80d9997116992fa3814cd2efc0d57c441306a772db4120a2ab080b3ee2d6de
Instruction Fuzzy Hash: 7101DB714053449EE7204B65DD84B66FBDCEF41764F14C45AED094E2C2C3789840CAB6

Function 0090D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200351593.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa85460726a7fcdfb66a64d1bfda12c2518e37b11cec361efd8d33ef5a15f938
Instruction ID: 13d6746cbbd1228cd2ab6bd3fbec197081569bff85077efb97304651e501a76c
Opcode Fuzzy Hash: aa85460726a7fcdfb66a64d1bfda12c2518e37b11cec361efd8d33ef5a15f938
Instruction Fuzzy Hash: 0FF06D72445344AEEB208A16D984B62FFECEB51724F18C55AED484F6C7C3799C44CAB1

Non-executed Functions

Function 00C7F4F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7cf08d60e6d9a38a0ee20842e9b8539fb89b1f6094e2ab5715660228481e4a
Instruction ID: 76239b5d20d1c1035f1ae46d2c3693bb78335d38f7c9b6476fe59e2f344344dc
Opcode Fuzzy Hash: cb7cf08d60e6d9a38a0ee20842e9b8539fb89b1f6094e2ab5715660228481e4a
Instruction Fuzzy Hash: 1A12C6B0405F458AE730CF25FC4C9993BB1BBA5328B904609D161AB3F9EBB9114BDF64

Function 00C7E5F4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ef2cea891c55ce571de85ef5db555d775bcacb55f1033c0fff158e5c415f15
Instruction ID: 2c760f9e46c16c65afb634447fa776bd3157d3a3408faa736e50274992be50d1
Opcode Fuzzy Hash: 83ef2cea891c55ce571de85ef5db555d775bcacb55f1033c0fff158e5c415f15
Instruction Fuzzy Hash: 9AA17E32E00219CFCF15DFB5C84459EBBB2FF99300B1585AAF809AB261DB71E906CB50

Function 00C7F4E8 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3200708289.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8a09ba84d5a3e5aabe9b193857f3ef5c98f16e7f5108c8e935c82c68347d5b
Instruction ID: f8a6cb044ed2b9f8bfa83fd7710c4bef588ba6f50c17c055df343de4e37ab075
Opcode Fuzzy Hash: ab8a09ba84d5a3e5aabe9b193857f3ef5c98f16e7f5108c8e935c82c68347d5b
Instruction Fuzzy Hash: 38C10AB0801B458BE720CF65FC48A997BB1BBA5324F504709D161AB3F8EBB4144BDF64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oe8KMVNFEG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
oe8KMVNFEG.exe

Function 00C7CB08 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 00C7CB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00C7A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 04CA0F64 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 04CA0F70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 04CA1E84 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00C7CD60 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00C7CD58 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 00C7A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON