Edit tour

Windows Analysis Report
kKedpe24sH.exe

Overview

General Information

Sample name:kKedpe24sH.exe
renamed because original name is a hash value
Original sample name:02d34aaf036eafb8f42f20a0dd1d30a7aeb89c5c5b463ec8f67f3cd73f58ed20.exe
Analysis ID:1623621
MD5:affe33c992206475938b7b0692aba80f
SHA1:3115962dd85e60b0f96c92b8b96577edc0169791
SHA256:02d34aaf036eafb8f42f20a0dd1d30a7aeb89c5c5b463ec8f67f3cd73f58ed20
Tags:101-43-216-184exeuser-JAMESWT_MHT
Infos:

Detection

Metasploit
Score:72
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • kKedpe24sH.exe (PID: 2764 cmdline: "C:\Users\user\Desktop\kKedpe24sH.exe" MD5: AFFE33C992206475938B7B0692ABA80F)
  • cleanup
{
  "Type": "Shell Reverse Tcp",
  "IP": "101.43.216.184",
  "Port": 11519
}
SourceRuleDescriptionAuthorStrings
00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
    • 0x81c:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Shell Reverse Tcp", "IP": "101.43.216.184", "Port": 11519}
    Source: kKedpe24sH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Binary string: C:\app\LVInstaller\VideofusionInstaller\build\Release\JianyingUninstaller.pdb source: kKedpe24sH.exe
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004343F0 CreateDirectoryW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,_memmove,GetFileAttributesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0041A430 _memset,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,

    Networking

    barindex
    Source: Malware configuration extractorIPs: 101.43.216.184
    Source: global trafficTCP traffic: 192.168.2.9:49813 -> 101.43.216.184:11519
    Source: Joe Sandbox ViewASN Name: CNIX-APChinaNetworksInter-ExchangeCN CNIX-APChinaNetworksInter-ExchangeCN
    Source: unknownTCP traffic detected without corresponding DNS query: 101.43.216.184
    Source: unknownTCP traffic detected without corresponding DNS query: 101.43.216.184
    Source: unknownTCP traffic detected without corresponding DNS query: 101.43.216.184
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0079089E LoadLibraryA,WSASocketA,connect,recv,VirtualAlloc,recv,
    Source: kKedpe24sH.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: kKedpe24sH.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: kKedpe24sH.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: kKedpe24sH.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: kKedpe24sH.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: kKedpe24sH.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: kKedpe24sH.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: kKedpe24sH.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: kKedpe24sH.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
    Source: kKedpe24sH.exeString found in binary or memory: http://ocsp.digicert.com0
    Source: kKedpe24sH.exeString found in binary or memory: http://ocsp.digicert.com0A
    Source: kKedpe24sH.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: kKedpe24sH.exeString found in binary or memory: http://ocsp.digicert.com0X
    Source: kKedpe24sH.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: kKedpe24sH.exeString found in binary or memory: https://imagemagick.org
    Source: kKedpe24sH.exeString found in binary or memory: https://lv.ulikecam.com/URLInfoAboutShenzhen

    System Summary

    barindex
    Source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
    Source: C:\Users\user\Desktop\kKedpe24sH.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0040E210
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004EF760
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_00419780
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004038C0
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004EF92A
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0043CA00
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004F6C6F
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0044EDD0
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0043BDB0
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004FEEF0
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: String function: 00520F08 appears 61 times
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: String function: 004EAE26 appears 32 times
    Source: kKedpe24sH.exeStatic PE information: invalid certificate
    Source: kKedpe24sH.exe, 00000000.00000000.1366990784.0000000000543000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( ) / _ 0Check failed: !g_top_manager. d:\work_code\liebaocodes\liebao_46\src_import\base\at_exit.ccTried to ~AtExitManager without an AtExitManagerthis == g_top_managerCheck failed: func. Tried to RegisterCallback without an AtExitManagerTried to ProcessCallbacksNow without an AtExitManagerCheck failed: shadow || !g_top_manager. BrokerEventCheck failed: thread_handle. d:\work_code\liebaocodes\liebao_46\src_import\base\threading\platform_thread_win.ccCheck failed: thread_handle.platform_handle(). Unknown priority.desired_priority != (0x7fffffff)Failed to set thread priority to GetThreadPriority errorUnexpected priority: cannot find delimiter in: d:\work_code\liebaocodes\liebao_46\src_import\base\strings\string_split.cccannot parse value from input: Check failed: data_.get(). d:\work_code\liebaocodes\liebao_46\src_import\base\file_version_info_win.cc\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%ls vs kKedpe24sH.exe
    Source: kKedpe24sH.exe, 00000000.00000002.3814872573.0000000000543000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( ) / _ 0Check failed: !g_top_manager. d:\work_code\liebaocodes\liebao_46\src_import\base\at_exit.ccTried to ~AtExitManager without an AtExitManagerthis == g_top_managerCheck failed: func. Tried to RegisterCallback without an AtExitManagerTried to ProcessCallbacksNow without an AtExitManagerCheck failed: shadow || !g_top_manager. BrokerEventCheck failed: thread_handle. d:\work_code\liebaocodes\liebao_46\src_import\base\threading\platform_thread_win.ccCheck failed: thread_handle.platform_handle(). Unknown priority.desired_priority != (0x7fffffff)Failed to set thread priority to GetThreadPriority errorUnexpected priority: cannot find delimiter in: d:\work_code\liebaocodes\liebao_46\src_import\base\strings\string_split.cccannot parse value from input: Check failed: data_.get(). d:\work_code\liebaocodes\liebao_46\src_import\base\file_version_info_win.cc\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%ls vs kKedpe24sH.exe
    Source: kKedpe24sH.exe, 00000000.00000000.1367045636.0000000000603000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJianyingPro@ vs kKedpe24sH.exe
    Source: kKedpe24sH.exeBinary or memory string: ( ) / _ 0Check failed: !g_top_manager. d:\work_code\liebaocodes\liebao_46\src_import\base\at_exit.ccTried to ~AtExitManager without an AtExitManagerthis == g_top_managerCheck failed: func. Tried to RegisterCallback without an AtExitManagerTried to ProcessCallbacksNow without an AtExitManagerCheck failed: shadow || !g_top_manager. BrokerEventCheck failed: thread_handle. d:\work_code\liebaocodes\liebao_46\src_import\base\threading\platform_thread_win.ccCheck failed: thread_handle.platform_handle(). Unknown priority.desired_priority != (0x7fffffff)Failed to set thread priority to GetThreadPriority errorUnexpected priority: cannot find delimiter in: d:\work_code\liebaocodes\liebao_46\src_import\base\strings\string_split.cccannot parse value from input: Check failed: data_.get(). d:\work_code\liebaocodes\liebao_46\src_import\base\file_version_info_win.cc\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%ls vs kKedpe24sH.exe
    Source: kKedpe24sH.exeBinary or memory string: OriginalFilenameJianyingPro@ vs kKedpe24sH.exe
    Source: kKedpe24sH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/1
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0042C900 FormatMessageA,GetLastError,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0040A350 CreateToolhelp32Snapshot,
    Source: kKedpe24sH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\kKedpe24sH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\kKedpe24sH.exeSection loaded: powrprof.dll
    Source: C:\Users\user\Desktop\kKedpe24sH.exeSection loaded: umpdc.dll
    Source: C:\Users\user\Desktop\kKedpe24sH.exeSection loaded: mswsock.dll
    Source: kKedpe24sH.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: kKedpe24sH.exeStatic file information: File size 3182704 > 1048576
    Source: kKedpe24sH.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x142000
    Source: kKedpe24sH.exeStatic PE information: More than 200 imports for KERNEL32.dll
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: kKedpe24sH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\app\LVInstaller\VideofusionInstaller\build\Release\JianyingUninstaller.pdb source: kKedpe24sH.exe
    Source: kKedpe24sH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: kKedpe24sH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: kKedpe24sH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: kKedpe24sH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: kKedpe24sH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004EC388 push ecx; ret
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004ED885 push ecx; ret
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_007907CA push 0019FEE0h; ret
    Source: C:\Users\user\Desktop\kKedpe24sH.exeAPI coverage: 2.1 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004343F0 CreateDirectoryW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,_memmove,GetFileAttributesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0041A430 _memset,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,
    Source: kKedpe24sH.exe, 00000000.00000002.3815271327.00000000009AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~

    Anti Debugging

    barindex
    Source: C:\Users\user\Desktop\kKedpe24sH.exeProcess Stats: CPU usage > 42% for more than 60s
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004F55CA _memset,IsDebuggerPresent,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_00519A5F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004F7AC2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_00501F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: GetLocaleInfoW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_004F409A GetSystemTimeAsFileTime,__aulldiv,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_0050DC4D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\user\Desktop\kKedpe24sH.exeCode function: 0_2_00428FB0 GetCurrentProcess,GetModuleHandleW,GetProcAddress,_memset,GetVersionExW,GetNativeSystemInfo,GetModuleHandleW,GetProcAddress,

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    1
    DLL Side-Loading
    11
    Virtualization/Sandbox Evasion
    OS Credential Dumping2
    System Time Discovery
    Remote Services1
    Archive Collected Data
    1
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Deobfuscate/Decode Files or Information
    LSASS Memory131
    Security Software Discovery
    Remote Desktop ProtocolData from Removable Media1
    Non-Standard Port
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information
    Security Account Manager11
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading
    NTDS1
    Process Discovery
    Distributed Component Object ModelInput Capture1
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
    File and Directory Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
    System Information Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1623621 Sample: kKedpe24sH.exe Startdate: 25/02/2025 Architecture: WINDOWS Score: 72 11 Found malware configuration 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Yara detected Metasploit Payload 2->15 17 C2 URLs / IPs found in malware configuration 2->17 5 kKedpe24sH.exe 2->5         started        process3 dnsIp4 9 101.43.216.184, 11519, 49813 CNIX-APChinaNetworksInter-ExchangeCN China 5->9 19 Found potential dummy code loops (likely to delay analysis) 5->19 signatures5

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    kKedpe24sH.exe0%ReversingLabs
    kKedpe24sH.exe0%VirustotalBrowse
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://lv.ulikecam.com/URLInfoAboutShenzhen0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0032.t-0009.t-msedge.net
    13.107.246.60
    truefalse
      high
      NameSourceMaliciousAntivirus DetectionReputation
      https://imagemagick.orgkKedpe24sH.exefalse
        high
        https://lv.ulikecam.com/URLInfoAboutShenzhenkKedpe24sH.exefalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        101.43.216.184
        unknownChina
        4847CNIX-APChinaNetworksInter-ExchangeCNtrue
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1623621
        Start date and time:2025-02-25 12:28:17 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 40s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:8
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:kKedpe24sH.exe
        renamed because original name is a hash value
        Original Sample Name:02d34aaf036eafb8f42f20a0dd1d30a7aeb89c5c5b463ec8f67f3cd73f58ed20.exe
        Detection:MAL
        Classification:mal72.troj.evad.winEXE@1/0@0/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 55%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Override analysis time to 240s for sample files taking high CPU consumption
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.60, 4.245.163.56, 23.206.229.209
        • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        No simulations
        No context
        No context
        No context
        No context
        No context
        No created / dropped files found
        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):4.723435922891534
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:kKedpe24sH.exe
        File size:3'182'704 bytes
        MD5:affe33c992206475938b7b0692aba80f
        SHA1:3115962dd85e60b0f96c92b8b96577edc0169791
        SHA256:02d34aaf036eafb8f42f20a0dd1d30a7aeb89c5c5b463ec8f67f3cd73f58ed20
        SHA512:fa73f848fc53a9020c52d10c062c586e795a9e2d3c4ce4f7d84f0625216270544021b9fe7af3fe392616630f6dded6b46b1b5ecbdf7304dd3a713727f6fe083a
        SSDEEP:49152:XSJLFlgNwoJtGngl8sNEjmEJ0k6ii5G2u1hPMD:XqLsStak6i/hPm
        TLSH:ABE55B22B8408135FAA212B6D6FDFA3445AC9E10072952D793DC3D1B3FB46E37B35296
        File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........v.............0...................S...................sG......sG......sG..........w....'..$....'.......'.......'.............
        Icon Hash:00b0e470e4e430c2
        Entrypoint:0x4f5541
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x659F8C74 [Thu Jan 11 06:36:36 2024 UTC]
        TLS Callbacks:0x4a2820
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:dfac7e674cb895884a5114fa99908fdb
        Signature Valid:false
        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
        Signature Validation Error:The digital signature of the object did not verify
        Error Number:-2146869232
        Not Before, Not After
        • 10/10/2022 01:00:00 03/12/2025 23:59:59
        Subject Chain
        • CN=\u6df1\u5733\u5e02\u8138\u840c\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u6df1\u5733\u5e02\u8138\u840c\u79d1\u6280\u6709\u9650\u516c\u53f8, L=\u6df1\u5733\u5e02, S=\u5e7f\u4e1c\u7701, C=CN, SERIALNUMBER=9144030008867405X2, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u6df1\u5733\u5e02, OID.1.3.6.1.4.1.311.60.2.1.2=\u5e7f\u4e1c\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
        Version:3
        Thumbprint MD5:C5C97B805F83D1381B4AADF7D1118B57
        Thumbprint SHA-1:0DE175131E25EB885C04DED5B191D8DDB2B731A1
        Thumbprint SHA-256:387AEC372B4C3BC535427323A40BD18D0A2258B836A8B0459FC05E287D2CADD0
        Serial:0662C5A648D4D6FC929FF73F16F9882D
        Instruction
        call 00007FD740D58D3Eh
        jmp 00007FD740D3F6DEh
        push ebp
        mov ebp, esp
        mov edx, dword ptr [ebp+0Ch]
        mov eax, dword ptr [0056F1A0h]
        not edx
        mov ecx, dword ptr [ebp+08h]
        and edx, eax
        and ecx, dword ptr [ebp+0Ch]
        or edx, ecx
        mov dword ptr [0056F1A0h], edx
        pop ebp
        ret
        call 00007FD740D3FAEEh
        test eax, eax
        je 00007FD740D3F8AAh
        push 00000016h
        call 00007FD740D3FBBAh
        pop ecx
        test byte ptr [0056F1A0h], 00000002h
        je 00007FD740D3F8C3h
        push 00000017h
        call 00007FD740D85ED0h
        test eax, eax
        je 00007FD740D3F8A7h
        push 00000007h
        pop ecx
        int 29h
        push 00000001h
        push 40000015h
        push 00000003h
        call 00007FD740D3F8CDh
        add esp, 0Ch
        push 00000003h
        call 00007FD740D3ED46h
        int3
        jmp 00007FD740D3F9FCh
        push ebp
        mov ebp, esp
        push dword ptr [ebp+18h]
        push dword ptr [ebp+14h]
        push dword ptr [ebp+10h]
        push dword ptr [ebp+0Ch]
        push dword ptr [ebp+08h]
        call 00007FD740D3FA3Bh
        int3
        push ebp
        mov ebp, esp
        sub esp, 00000328h
        mov eax, dword ptr [0056F120h]
        xor eax, ebp
        mov dword ptr [ebp-04h], eax
        cmp dword ptr [ebp+08h], FFFFFFFFh
        push edi
        je 00007FD740D3F8ABh
        push dword ptr [ebp+08h]
        call 00007FD740D5871Bh
        pop ecx
        and dword ptr [ebp-00000320h], 00000000h
        lea eax, dword ptr [ebp-0000031Ch]
        push 0000004Ch
        push 00000000h
        push eax
        call 00007FD740D35D41h
        lea eax, dword ptr [ebp+00FFFCE0h]
        Programming Language:
        • [ASM] VS2013 build 21005
        • [ C ] VS2013 build 21005
        • [C++] VS2013 build 21005
        • [RES] VS2013 build 21005
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x16d2200x4f.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x16d2700x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1780000x8f774.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x3062000x2e70
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2080000xa61c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1436300x38.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x1623c80x18.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1623800x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1430000x34c.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x16aef80x280.rdata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x141f630x1420002b9e2c7e30803b202bb834fc8c36f34bFalse0.439400050951087data6.424085501631316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x1430000x2b5f40x2b6008a2ebf6aa5949f13864fd1ff237b050cFalse0.41796875OpenPGP Public Key5.7863231543333855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x16f0000x77000x3c0038e2334aa44918adcc26bdbddaed411aFalse0.2755208333333333data4.646632416103085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .tls0x1770000x20x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x1780000x8f7740x8f800f0fbb9fb7afc9e6595da4d69b57a6ffaFalse0.3625088469076655data4.535256907315477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x2080000xb2000xb200df0160a1ccf7426d662e4ed071b88222False0.7088965941011236data6.755933821891438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        BINDATA0x178eac0x707PNG image data, 544 x 306, 8-bit colormap, non-interlacedEnglishUnited States0.5430794886047804
        BINDATA0x1795b40x3d8PNG image data, 128 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9979674796747967
        BINDATA0x17998c0x2aePNG image data, 128 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0029154518950438
        BINDATA0x179c3c0x365PNG image data, 43 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126582278481013
        BINDATA0x179fa40x9faPNG image data, 288 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0043069694596711
        BINDATA0x17a9a00xac4PNG image data, 288 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039912917271407
        BINDATA0x17b4640xbdePNG image data, 165 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036208031599736
        BINDATA0x17c0440x20abPNG image data, 304 x 31, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0013153174698075
        BINDATA0x17e0f00x14a6PNG image data, 800 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9631101021566402
        BINDATA0x17f5980x7c8PNG image data, 88 x 18, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0055220883534137
        BINDATA0x17fd600xdc6PNG image data, 1088 x 612, 8-bit colormap, non-interlacedEnglishUnited States0.44639818491208166
        BINDATA0x180b280x834PNG image data, 256 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9285714285714286
        BINDATA0x18135c0x579PNG image data, 256 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States0.806566738044254
        BINDATA0x1818d80x67fPNG image data, 86 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0066145520144318
        BINDATA0x181f580x17cePNG image data, 576 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.000164095831966
        BINDATA0x1837280x18faPNG image data, 576 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9984360337816703
        BINDATA0x1850240x1723PNG image data, 330 x 96, 8-bit/color RGBA, non-interlacedEnglishUnited States0.991051831841972
        BINDATA0x1867480x3fd9PNG image data, 608 x 62, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0003059039461608
        BINDATA0x18a7240x316aPNG image data, 1600 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8958893280632411
        BINDATA0x18d8900x11ecPNG image data, 176 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States0.995640802092415
        BINDATA0x18ea7c0x383PNG image data, 72 x 12, 8-bit/color RGBA, non-interlacedChineseChina1.0122358175750834
        BINDATA0x18ee000x256PNG image data, 88 x 22, 8-bit/color RGBA, non-interlacedChineseChina1.0183946488294315
        BINDATA0x18f0580x5cPNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedChineseChina1.0326086956521738
        BINDATA0x18f0b40x9cPNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedChineseChina1.044871794871795
        BINDATA0x18f1500x4dePNG image data, 143 x 61, 8-bit/color RGBA, non-interlacedChineseChina1.0088282504012842
        BINDATA0x18f6300x38b5PNG image data, 294 x 311, 8-bit/color RGBA, non-interlacedChineseChina0.9117586278156644
        BINDATA0x192ee80x793PNG image data, 388 x 31, 8-bit colormap, non-interlacedChineseChina0.9690562145435792
        BINDATA0x19367c0x5bePNG image data, 64 x 64, 8-bit gray+alpha, non-interlacedChineseChina1.0074829931972789
        BINDATA0x193c3c0x192PNG image data, 11 x 31, 8-bit/color RGBA, non-interlacedChineseChina1.027363184079602
        BINDATA0x193dd00x1c3PNG image data, 11 x 31, 8-bit/color RGBA, non-interlacedChineseChina1.024390243902439
        BINDATA0x193f940x1b4PNG image data, 11 x 31, 8-bit/color RGBA, non-interlacedChineseChina1.025229357798165
        BINDATA0x1941480x192PNG image data, 11 x 31, 8-bit/color RGBA, non-interlacedChineseChina1.027363184079602
        BINDATA0x1942dc0x1082PNG image data, 64 x 65, 8-bit/color RGBA, non-interlacedChineseChina1.0026029342167535
        BINDATA0x1953600xc29PNG image data, 640 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0035335689045937
        BINDATA0x195f8c0xabfPNG image data, 304 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0039985459832788
        BINDATA0x196a4c0xb1cPNG image data, 304 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0038677918424754
        BINDATA0x1975680x83fPNG image data, 144 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.005210800568451
        BINDATA0x197da80x9ebbPNG image data, 588 x 622, 8-bit/color RGBA, non-interlacedChineseChina0.8798080472499077
        BINDATA0x1a1c640x2bfcPNG image data, 128 x 130, 8-bit/color RGBA, non-interlacedChineseChina1.0009769094138543
        BINDATA0x1a48600x1c38PNG image data, 1280 x 48, 8-bit/color RGBA, non-interlacedChineseChina0.9540420819490587
        BINDATA0x1a64980x1864PNG image data, 608 x 48, 8-bit/color RGBA, non-interlacedChineseChina0.9907110826393337
        BINDATA0x1a7cfc0x1921PNG image data, 608 x 48, 8-bit/color RGBA, non-interlacedChineseChina0.9866314316803979
        RT_ICON0x1a96200x528Device independent bitmap graphic, 16 x 32 x 32, image size 1280EnglishUnited States0.30757575757575756
        RT_ICON0x1a9b480x7f8Device independent bitmap graphic, 20 x 40 x 32, image size 2000EnglishUnited States0.23774509803921567
        RT_ICON0x1aa3400xb68Device independent bitmap graphic, 24 x 48 x 32, image size 2880EnglishUnited States0.21335616438356164
        RT_ICON0x1aaea80x1428Device independent bitmap graphic, 32 x 64 x 32, image size 5120EnglishUnited States0.16647286821705426
        RT_ICON0x1ac2d00x1f68Device independent bitmap graphic, 40 x 80 x 32, image size 8000EnglishUnited States0.12338308457711443
        RT_ICON0x1ae2380x2d28Device independent bitmap graphic, 48 x 96 x 32, image size 11520EnglishUnited States0.10752595155709342
        RT_ICON0x1b0f600x5028Device independent bitmap graphic, 64 x 128 x 32, image size 20480EnglishUnited States0.07792397660818713
        RT_ICON0x1b5f880x6568Device independent bitmap graphic, 72 x 144 x 32, image size 25920EnglishUnited States0.07053158705701079
        RT_ICON0x1bc4f00xb428Device independent bitmap graphic, 96 x 192 x 32, image size 46080EnglishUnited States0.05258022549869905
        RT_ICON0x1c79180x14028Device independent bitmap graphic, 128 x 256 x 32, image size 81920EnglishUnited States0.038848218643240603
        RT_ICON0x1db9400x278f8Device independent bitmap graphic, 180 x 360 x 32, image size 162000EnglishUnited States0.02810417180942977
        RT_ICON0x2032380x23f2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9876113888285155
        RT_DIALOG0x20562c0x122dataEnglishUnited States0.6689655172413793
        RT_DIALOG0x2057500x68dataEnglishUnited States0.75
        RT_DIALOG0x2057b80x11edataChineseChina0.6713286713286714
        RT_DIALOG0x2058d80x42dataChineseChina0.7878787878787878
        RT_STRING0x20591c0x46dataEnglishUnited States0.6
        RT_STRING0x2059640x2adataEnglishUnited States0.5476190476190477
        RT_STRING0x2059900x296dataEnglishUnited States0.3323262839879154
        RT_STRING0x205c280x328dataEnglishUnited States0.34405940594059403
        RT_STRING0x205f500x27cdataEnglishUnited States0.33176100628930816
        RT_STRING0x2061cc0x106dataEnglishUnited States0.5763358778625954
        RT_STRING0x2062d40xdadataEnglishUnited States0.43119266055045874
        RT_STRING0x2063b00x1f8dataEnglishUnited States0.36706349206349204
        RT_STRING0x2065a80xaedataEnglishUnited States0.5689655172413793
        RT_STRING0x2066580x44dataEnglishUnited States0.6764705882352942
        RT_ACCELERATOR0x20669c0x70dataEnglishUnited States0.6785714285714286
        RT_GROUP_ICON0x20670c0xaedataEnglishUnited States0.6436781609195402
        RT_VERSION0x2067bc0x2f8dataEnglishUnited States0.44605263157894737
        RT_VERSION0x206ab40x5f4dataChineseChina0.3510498687664042
        RT_MANIFEST0x2070a80x6c9XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1677), with CRLF line terminatorsEnglishUnited States0.30166954519286127
        DLLImport
        POWRPROF.dllPowerDeterminePlatformRole
        KERNEL32.dllGetVolumePathNameW, GetFullPathNameA, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, RemoveDirectoryW, RaiseException, GetLastError, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindResourceExW, GetModuleFileNameW, LoadResource, LockResource, SizeofResource, FindResourceW, CreateFileW, GetFileSize, ReadFile, WriteFile, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, ExpandEnvironmentStringsW, GetFullPathNameW, GetLongPathNameW, SetFileAttributesW, SetLastError, DeviceIoControl, GetVersionExW, GetModuleHandleW, GetProcAddress, LocalFree, WaitForSingleObject, OpenProcess, GetWindowsDirectoryW, FreeLibrary, LoadLibraryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GetCurrentProcess, GetCurrentThread, SetFilePointer, ProcessIdToSessionId, GetCommandLineW, GetDiskFreeSpaceExW, GetVolumeInformationW, QueryDosDeviceW, GetTempPathW, GetCurrentProcessId, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetVersion, GetLocalTime, GetTickCount, GetSystemDirectoryW, LocalAlloc, lstrcmpW, BeginUpdateResourceW, UpdateResourceW, EndUpdateResourceW, CopyFileW, MoveFileExW, WTSGetActiveConsoleSessionId, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, ResetEvent, CreateEventW, CreateThread, MoveFileW, Sleep, TerminateThread, GetPrivateProfileIntW, GetPrivateProfileStringW, GetEnvironmentVariableW, GetShortPathNameW, DecodePointer, SetErrorMode, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, ResumeThread, SetPriorityClass, LoadLibraryExW, SetDefaultDllDirectories, lstrcmpiW, FlushInstructionCache, lstrlenW, GetProcessId, GetModuleHandleA, GetTempFileNameW, MapViewOfFile, UnmapViewOfFile, GetLogicalDriveStringsW, SetEnvironmentVariableA, ReplaceFileW, GetCurrentDirectoryW, CreateFileMappingW, SetCurrentDirectoryW, GetFileAttributesExW, GetNativeSystemInfo, CreateMutexW, FormatMessageA, OutputDebugStringA, ReleaseMutex, RegisterWaitForSingleObject, UnregisterWaitEx, FindFirstFileExW, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, QueryPerformanceCounter, GetSystemTimeAsFileTime, TzSpecificLocalTimeToSystemTime, FileTimeToSystemTime, QueryPerformanceFrequency, SetEndOfFile, SetFilePointerEx, UnlockFile, LockFile, SetFileTime, FlushFileBuffers, GetFileSizeEx, DuplicateHandle, GetFileInformationByHandle, SetThreadPriority, GetThreadPriority, IsDebuggerPresent, GetUserDefaultLangID, TryEnterCriticalSection, GetModuleHandleExW, TlsGetValue, TlsSetValue, TlsAlloc, TlsFree, SetInformationJobObject, GetQueuedCompletionStatus, PostQueuedCompletionStatus, CreateIoCompletionPort, WaitForMultipleObjects, GlobalMemoryStatusEx, RtlCaptureStackBackTrace, QueueUserWorkItem, GetModuleHandleExA, GetProcessHeaps, HeapSetInformation, HeapUnlock, HeapLock, HeapWalk, GetProcessIoCounters, VirtualQueryEx, GetProcessTimes, GetSystemInfo, InitializeCriticalSectionEx, LoadLibraryExA, OutputDebugStringW, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, EncodePointer, RtlUnwind, VirtualProtect, VirtualQuery, ExitProcess, AreFileApisANSI, SetConsoleCtrlHandler, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, GetStdHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, CreateSemaphoreW, ReadConsoleW, FatalAppExitA, GetTimeZoneInformation, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetDriveTypeW
        NameOrdinalAddress
        GetHandleVerifier10x429a00
        DescriptionData
        CompanyNameByteDance
        ProductName
        LegalCopyrightCopyright (C) 2022 ByteDance
        InternalNameJianyingPro
        OriginalFilenameJianyingPro
        FileDescriptionJianyingPro
        FileVersion1.0.0.000000
        ProductVersion1.0.0.000000
        Official Build1
        Translation0x0000 0x04b0
        CompanyNameByteDance
        ProductName
        LegalCopyrightCopyright (C) 2022 ByteDance
        InternalNameJianyingPro
        OriginalFilenameJianyingPro
        FileDescriptionJianyingPro
        FileVersion5.4.0.11246
        ProductVersion5.4.0.11246
        Official Build1
        Translation0x0000 0x04b0
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States
        ChineseChina
        TimestampSource PortDest PortSource IPDest IP
        Feb 25, 2025 12:29:24.590672016 CET4981311519192.168.2.9101.43.216.184
        Feb 25, 2025 12:29:24.595779896 CET1151949813101.43.216.184192.168.2.9
        Feb 25, 2025 12:29:24.595901966 CET4981311519192.168.2.9101.43.216.184
        Feb 25, 2025 12:29:26.638921022 CET1151949813101.43.216.184192.168.2.9
        Feb 25, 2025 12:29:26.639048100 CET4981311519192.168.2.9101.43.216.184
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Feb 25, 2025 12:29:06.674963951 CET1.1.1.1192.168.2.90xd0e2No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Feb 25, 2025 12:29:06.674963951 CET1.1.1.1192.168.2.90xd0e2No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
        No statistics
        Target ID:0
        Start time:06:29:11
        Start date:25/02/2025
        Path:C:\Users\user\Desktop\kKedpe24sH.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\kKedpe24sH.exe"
        Imagebase:0x400000
        File size:3'182'704 bytes
        MD5 hash:AFFE33C992206475938B7B0692ABA80F
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3815193713.0000000000790000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
        Reputation:low
        Has exited:false

        No disassembly