Windows
Analysis Report
temp_error_logs.scr.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
temp_error_logs.scr.exe (PID: 1796 cmdline:
"C:\Users\ user\Deskt op\temp_er ror_logs.s cr.exe" MD5: 51A1010AA03722EAE1FA2A8C55E80885) WerFault.exe (PID: 2176 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 796 -s 708 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-25T16:44:04.866114+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49712 | 185.114.247.104 | 443 | TCP |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF73EF51E03 |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00007FF73EF57F70 |
Source: | Code function: | 0_2_00007FF73EF59EF0 | |
Source: | Code function: | 0_2_00007FF73EF5A630 | |
Source: | Code function: | 0_2_00007FF73EF5B080 | |
Source: | Code function: | 0_2_00007FF73EF596F0 | |
Source: | Code function: | 0_2_00007FF73EF57D00 | |
Source: | Code function: | 0_2_00007FF73EF54F60 |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF73EF59E20 |
Source: | Code function: | 0_2_00007FF73EF66300 | |
Source: | Code function: | 0_2_00007FF73EF51190 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Software Packing | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 3 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 14 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 3 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
34% | Virustotal | Browse | ||
33% | ReversingLabs | Win64.Trojan.Sonbokli |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
autoservice-23.ru | 185.114.247.104 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.114.247.104 | autoservice-23.ru | Russian Federation | 9123 | TIMEWEB-ASRU | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1648207 |
Start date and time: | 2025-03-25 16:43:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | temp_error_logs.scr.exe |
Detection: | MAL |
Classification: | mal52.winEXE@2/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, WerFault.exe, SIHCl ient.exe, SgrmBroker.exe, conh ost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.189.173.20, 20. 190.135.6, 184.31.69.3, 4.245. 163.56 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, login.live.com, slscr.upda te.microsoft.com, blobcollecto r.events.data.trafficmanager.n et, onedsblobprdwus15.westus.c loudapp.azure.com, ctldl.windo wsupdate.com, umwatson.events. data.microsoft.com, c.pki.goog , fe3cr.delivery.mp.microsoft. com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
11:44:04 | API Interceptor | |
11:44:10 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TIMEWEB-ASRU | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | DarkVision Rat | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
|
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9258917181282965 |
Encrypted: | false |
SSDEEP: | 96:1dJFGSL5s6hOA77fnBQXIDcQtc6vCHcECcw38+HbHg/5yuuzOqgOyjCD5Pkg9hiR:R95Zm0zLMIJjV3izuiF1Z24lO8H |
MD5: | 7EFA2BEA1B8EC806C778FB01AF836BAE |
SHA1: | 051E0C20FF1A44E95FC0E54546F2AC6364622FCE |
SHA-256: | 9F679BB4E3BD62D5758B369896EA7EE9E6987874895570AB4113A2D49E974029 |
SHA-512: | DE3EE220AB7F169623D012C1CB4F1C9E1F9D59D08877029DBBD1F7268C2E98FE7CC53E3125F440569C094414505321218385FD31BE26841D6DCE89A50E715E20 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8824 |
Entropy (8bit): | 3.7023186062917524 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ/5gxIPIQ6Y6UuXgmfgLc9pDt89bibqcfZ8jm:R6lXJxyIPIQ6Y5uXgmfgLcSib5fu6 |
MD5: | F6749ECD9D640B363572D63E80805730 |
SHA1: | 54BEE9F06559264D804E4E7FC94F2C9439AF49D7 |
SHA-256: | 43A69F2F1012EAB53D89195163FAA55934CBC452242930D2DB08BCC34B574D94 |
SHA-512: | 80A43753A155B928275FCC33CB510283B4B451DA1D8BDFE6E69EFF2EED9717318DA1E1D60162BAAB742B8DBBD3DF923A9C9D37464EBE8E9F361E450FBB09FD42 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4704 |
Entropy (8bit): | 4.453159334433156 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsJJg771I9KtWpW8VYEYm8M4J946FHyq85l/8sTN3d:uIjfbI7lc7VAJWQY8oN3d |
MD5: | C0D0E18B265491D659C84FA256DC1AC0 |
SHA1: | 9ADFEB315259A64B26B5764413957BB3E8190652 |
SHA-256: | 396D18E217ACAED1619DCD45F0B291619AD017898077C93265E569C51A8194D4 |
SHA-512: | BF4FB64357829BCB35C50245A860621FF5F8B585489DC13FC1530BA6C6417D2213029C495E42AF716CA52639C5A95EF8FAE561DC33A08A95E5BDA4F48E6D968D |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 143426 |
Entropy (8bit): | 1.3750227114062652 |
Encrypted: | false |
SSDEEP: | 192:Or8+h1muhqRQEKO+B3dxo769vOUm+gEV/MCYtnNF6CAd8fTJVgk5hpatAJG0:1+h1FmQU+Btxo76pQHYvsNF6CqMrNNJ |
MD5: | 0A414479DDAA2AFD89871757B5548FBA |
SHA1: | FE39B31CB783B689BA7ABE424BB90EF8DDED9F10 |
SHA-256: | B03D703148D5D3BFF71BC2E572161713C6BE6A8ED065020C6377B4750F64882D |
SHA-512: | B8E103DB1701BA2D3E955C296B8C65E590A534FC71B11385F660D4AE721A8B7B6A9ECA099E603E06B9D20D74E19CD9B27806B346C8D982D546841CB49C5B26D1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.468831394625387 |
Encrypted: | false |
SSDEEP: | 6144:OIXfpi67eLPU9skLmb0b4jWSPKaJG8nAgejZMMhA2gX4WABlVuNNdwBCswSb7i:DXD94jWlLZMM6YFU/+7i |
MD5: | FC0C1414C04B2A7DB043A9C051726650 |
SHA1: | C9E1E0831DA4BB2E3BE834404E981D666D95F0A9 |
SHA-256: | BD42EA8397BA4FC0787DDE9828C57CCF55DEA4DDE95D5C7F1DEB49893E5902C1 |
SHA-512: | A7AD3AC376F566847C351CD56FC479774451DF4203514A9A8F0D183C3B5D1EA64B71F87519A631738F32CCB2589BBC2BC11FE596FF8FDAD3FA57A7875789575B |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.444798509982794 |
TrID: |
|
File name: | temp_error_logs.scr.exe |
File size: | 170'496 bytes |
MD5: | 51a1010aa03722eae1fa2a8c55e80885 |
SHA1: | c43a11071ca070c9d01298046eb44f8a1cf7d0a6 |
SHA256: | 07162f49a860051f8f878b3e3824168d8e0ede5672d21ab3746a2ee5410c0bb3 |
SHA512: | 2e095305a85009a9d27db558979ccf1242b08db15949b76a6e32378b8311ce0baea7ae74db01a3aac0d004c0ab937d47472de7a9f6ca6d2bf9a248ee8b8a714b |
SSDEEP: | 3072:RZAApTxg89HNH2XpykZOq78L/3GaT0pYQzO7zsCgxeD5zDR5:RDpn9tFkZ/0vGa4DzO/pgxeD5zV5 |
TLSH: | 04F3C016F39362FCC523C47442AB7672BE32B86606204F7E63E8E7315E21E115B3DA59 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............&.......................@....................................d.....`... ............................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x1400014d0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x67D3FC0A [Fri Mar 14 09:51:06 2025 UTC] |
TLS Callbacks: | 0x40001680, 0x1, 0x40001650, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 2a7632ed785255ad126b2e8d95a9fa96 |
Instruction |
---|
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [00011615h] |
mov dword ptr [eax], 00000001h |
call 00007F750CB66EEFh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop dword ptr [eax] |
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [000115F5h] |
mov dword ptr [eax], 00000000h |
call 00007F750CB66ECFh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop dword ptr [eax] |
dec eax |
sub esp, 28h |
call 00007F750CB6D1B4h |
dec eax |
test eax, eax |
sete al |
movzx eax, al |
neg eax |
dec eax |
add esp, 28h |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
dec eax |
lea ecx, dword ptr [00000009h] |
jmp 00007F750CB67219h |
nop dword ptr [eax+00h] |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
dec ecx |
mov ebx, ecx |
ret |
dec ecx |
mov edx, ecx |
inc ecx |
mov eax, dword ptr [ebx+08h] |
inc ecx |
jmp dword ptr [ebx] |
ret |
nop |
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [0000DAA5h] |
dec eax |
mov eax, dword ptr [eax] |
dec eax |
test eax, eax |
je 00007F750CB67264h |
nop dword ptr [eax+eax+00h] |
call eax |
dec eax |
mov eax, dword ptr [0000DA8Fh] |
dec eax |
lea edx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [eax+08h] |
dec eax |
mov dword ptr [0000DA80h], edx |
dec eax |
test eax, eax |
jne 00007F750CB67225h |
dec eax |
add esp, 00000000h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x16000 | 0xa30 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0x16340 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x13000 | 0x4a4 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x30000 | 0x84 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x122e0 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x162a8 | 0x258 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xd9c8 | 0xda00 | 261b402aec60a19230b87d056ade0159 | False | 0.5595792717889908 | data | 6.242509561498838 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xf000 | 0x2a60 | 0x2c00 | a653e93d53c1b8b105b8358fc9f01cd2 | False | 0.20152698863636365 | data | 4.594133415958572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x12000 | 0xc90 | 0xe00 | c67563ba238553d3f6be5853b8a7d61a | False | 0.42940848214285715 | data | 4.63680692028798 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x13000 | 0x4a4 | 0x600 | fe4887339b5be68f76e93d2cafad6c06 | False | 0.4225260416666667 | data | 3.7255521539049417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.xdata | 0x14000 | 0x460 | 0x600 | 97e063e03464150ed3bef4069587c1f0 | False | 0.2994791666666667 | data | 3.589510160429754 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x15000 | 0xb60 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x16000 | 0xa30 | 0xc00 | 9762a552cd6b6f613713fad3bee27931 | False | 0.3014322916666667 | data | 3.775851499023205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x17000 | 0x68 | 0x200 | 7895f8a49816d49e5dfbf278995305f6 | False | 0.072265625 | data | 0.3406417195159507 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x18000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x19000 | 0x16340 | 0x16400 | bea343a54dabb53042b68171c2d74a32 | False | 0.9972568469101124 | data | 7.994057654667068 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x30000 | 0x84 | 0x200 | aa7a02d4d0e2d78f411d76c773c2a134 | False | 0.251953125 | data | 1.5791638072144614 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_RCDATA | 0x19058 | 0x162e2 | data | English | United States | 0.9996147495872317 |
DLL | Import |
---|---|
KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, ReadConsoleA, ReadConsoleInputW, ReadConsoleW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte |
msvcrt.dll | __C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _cexit, _commode, _errno, _filelengthi64, _fileno, _fmode, _initterm, _localtime64, _lock, _mktime64, _onexit, _time64, _unlock, _utime64, _wfopen_s, _wfreopen_s, _wstat64, abort, calloc, exit, fclose, fflush, fgetpos, fprintf, fputc, fread, free, fsetpos, fwrite, localeconv, malloc, memcmp, memcpy, memset, realloc, remove, signal, strerror, strlen, strncmp, vfprintf, wcslen |
SHELL32.dll | SHGetFolderPathW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-25T16:44:04.866114+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49712 | 185.114.247.104 | 443 | TCP |
- Total Packets: 15
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 16:44:04.411334991 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.411376953 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:04.411477089 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.434096098 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.434129000 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:04.865977049 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:04.866113901 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.869659901 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.869678974 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:04.870037079 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:04.910397053 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.931905985 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.933309078 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:04.933381081 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985377073 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985404968 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985410929 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985419989 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985445976 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985471010 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:05.985486031 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985497952 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:05.985526085 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:05.985887051 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.985902071 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.986025095 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:05.986031055 CET | 443 | 49712 | 185.114.247.104 | 192.168.2.4 |
Mar 25, 2025 16:44:05.986092091 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Mar 25, 2025 16:44:05.987016916 CET | 49712 | 443 | 192.168.2.4 | 185.114.247.104 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 16:44:03.932454109 CET | 59160 | 53 | 192.168.2.4 | 1.1.1.1 |
Mar 25, 2025 16:44:04.404454947 CET | 53 | 59160 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 25, 2025 16:44:03.932454109 CET | 192.168.2.4 | 1.1.1.1 | 0x694a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 25, 2025 16:44:04.404454947 CET | 1.1.1.1 | 192.168.2.4 | 0x694a | No error (0) | 185.114.247.104 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49712 | 185.114.247.104 | 443 | 1796 | C:\Users\user\Desktop\temp_error_logs.scr.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 15:44:04 UTC | 312 | OUT | |
2025-03-25 15:44:04 UTC | 1 | OUT | |
2025-03-25 15:44:05 UTC | 399 | IN | |
2025-03-25 15:44:05 UTC | 15985 | IN | |
2025-03-25 15:44:05 UTC | 16384 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 11:44:02 |
Start date: | 25/03/2025 |
Path: | C:\Users\user\Desktop\temp_error_logs.scr.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff73ef50000 |
File size: | 170'496 bytes |
MD5 hash: | 51A1010AA03722EAE1FA2A8C55E80885 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 11:44:06 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75b790000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 1.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 16.9% |
Total number of Nodes: | 718 |
Total number of Limit Nodes: | 1 |
Graph
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|