Edit tour

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Sample name:	Black Myth Wukong Sigma Downloader.zip
Analysis ID:	1654174
MD5:	20f570224521e29be00f00760eb19908
SHA1:	cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:	7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Opens the same file many times (likely Sandbox evasion)

Abnormal high CPU Usage

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 7016 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Sigma.exe (PID: 3024 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6212 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

WerFault.exe (PID: 6232 cmdline: C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

Sigma.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3768 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Black Myth Wukong Sigma Downloader.zip	Virustotal: Detection: 52%			Perma Link
Source: Black Myth Wukong Sigma Downloader.zip	ReversingLabs: Detection: 55%

Source: Sigma.exe, 0000000B.00000000.1294132273.00007FF67CEED000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_66a773e9-5

Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49740 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 104.71.182.190 104.71.182.190

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.steampowered.com

Source: Sigma.exe	String found in binary or memory: http://protobuf.dev/programming-guides/enum/#cpp
Source: Sigma.exe	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/
Source: Sigma.exe	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver
Source: Sigma.exe, 0000000B.00000002.1576586326.000002734BA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/s
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

Process Stats: CPU usage > 24%

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048

Source: classification engine

Classification label: mal52.evad.winZIP@10/6@2/2

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

File created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3024
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cfc5d255-23be-4b96-817c-5303beacef74

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Black Myth Wukong Sigma Downloader.zip	Virustotal: Detection: 52%
Source: Black Myth Wukong Sigma Downloader.zip	ReversingLabs: Detection: 55%

Source: Sigma.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectory%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048
Source: unknown	Process created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Black Myth Wukong Sigma Downloader.zip

Static file information: File size 5993588 > 1048576

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	File opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36118			Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	File opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36116			Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Window / User API: threadDelayed 2154	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 448	Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls			Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Black Myth Wukong Sigma Downloader.zip	52%	Virustotal		Browse
Black Myth Wukong Sigma Downloader.zip	55%	ReversingLabs	Win64.Trojan.Suschil

Source	Detection	Scanner	Label	Link
http://protobuf.dev/programming-guides/enum/#cpp	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.steampowered.com	104.71.182.190	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Sigma.exe	false		high
http://protobuf.dev/programming-guides/enum/#cpp	Sigma.exe	false	Avira URL Cloud: safe	unknown
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/s	Sigma.exe, 0000000B.00000002.1576586326.000002734BA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	Sigma.exe	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/	Sigma.exe	false		high
https://curl.se/docs/http-cookies.html	Sigma.exe	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver	Sigma.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.71.182.190	api.steampowered.com	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654174
Start date and time:	2025-04-02 02:50:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Black Myth Wukong Sigma Downloader.zip
Detection:	MAL
Classification:	mal52.evad.winZIP@10/6@2/2
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.149.20.212, 23.205.30.245, 40.126.24.83, 23.57.90.149
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
20:51:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.71.182.190	i1myxYUbbP.exe	Get hash	malicious	Vidar	Browse
	https://u.to/JmY0Ig	Get hash	malicious	Unknown	Browse
	random(11).exe	Get hash	malicious	LummaC Stealer	Browse
	ayin.v0.1.0.exe	Get hash	malicious	LummaC	Browse
	ayin.v0.1.0.exe	Get hash	malicious	LummaC	Browse
	lunara.exe	Get hash	malicious	Unknown	Browse
	https://www.steamvr.com/de/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.steampowered.com	https://u.to/JmY0Ig	Get hash	malicious	Unknown	Browse	23.204.10.89
	https://sceanmcommnunmnlty.com/siute/apxpw/zpq	Get hash	malicious	Unknown	Browse	104.73.234.102
	http://steameconmnnuity.com/f848937bf21d19cda314441b9eca9f3c/bGlua3Nob3J0LnJ1bg==/aHR0cDovL3N0ZWFtZWNvbm1ubnVpdHkuY29tLzg5ODkwODA5Lw==	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://sreqmcoommnunlty.com/pikus/kils/nuks	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://sreqmcoommnunlty.com/bysre/tytik/pols	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://staemcommunuttly.com/gift/activation=Dor5Fhnm1w	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://steamcommunurty.com/id/7656135508021645	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://stearncommmunity.com/profiles/52829086342741	Get hash	malicious	Unknown	Browse	104.73.234.102
	http://gift50steam.com/50	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://u.to/8eAUIg	Get hash	malicious	HTMLPhisher	Browse	104.73.234.102

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	i1myxYUbbP.exe	Get hash	malicious	Vidar	Browse	104.71.182.190
	BIGIPEdgeClient 2024.exe	Get hash	malicious	Unknown	Browse	23.46.226.182
	BIGIPEdgeClient.exe	Get hash	malicious	Unknown	Browse	23.197.253.43
	BIGIPEdgeClient 2024.exe	Get hash	malicious	Unknown	Browse	23.39.37.29
	https://sprayfoamsys.com/service-center/	Get hash	malicious	Unknown	Browse	23.196.3.202
	https://microwaveeng-dot-m365view-318723.uc.r.appspot.com/	Get hash	malicious	HTMLPhisher	Browse	23.56.162.51
	i486.elf	Get hash	malicious	Unknown	Browse	104.106.110.98
	x86_64.elf	Get hash	malicious	Unknown	Browse	23.14.155.4
	https://sprayfoamsys.com	Get hash	malicious	Unknown	Browse	23.196.3.177
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	23.196.9.175

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	taskthow.exe	Get hash	malicious	Unknown	Browse	104.71.182.190
	core.vapvap	Get hash	malicious	Unknown	Browse	104.71.182.190
	d#U043e.xlsm	Get hash	malicious	Unknown	Browse	104.71.182.190
	Windows Service.exe	Get hash	malicious	Unknown	Browse	104.71.182.190
	xpmg.exe	Get hash	malicious	Unknown	Browse	104.71.182.190
	Talksy (1).exe	Get hash	malicious	Meduza Stealer, RHADAMANTHYS	Browse	104.71.182.190
	aisolution_a.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.71.182.190
	Talksy.exe	Get hash	malicious	Unknown	Browse	104.71.182.190
	Talksy.exe	Get hash	malicious	Unknown	Browse	104.71.182.190
	CPANEL(1)..ps1	Get hash	malicious	Unknown	Browse	104.71.182.190

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigma.exe_144c8af7cd7c54c2c2253da73a2bfa3ff06fe5ad_500bce02_45f55ca2-9278-4640-b0af-03ecc55c68d2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7853289720975717
Encrypted:	false
SSDEEP:	96:w6DFaiIsUhWe7TvVQXIDcQODc6OgmcE1cw3hxPx2+HbHg/K1JeeonsFvHBW7ra/k:hAiI808D6x/Fj7zuiFpZ24lO8z9
MD5:	D9902DFCC791F26DAD76DF35C973AD6F
SHA1:	6518F749F616D755A4105C69275265EA54F1A76D
SHA-256:	407CF4AA45B567186694C7CB58E78DF25BA24FD532492EFF4063F79BC35B0D03
SHA-512:	9B410D5A81A9C28D3DD022E1A27553238E08D9CC9F65FFCDCCE2C609216A0DAC921E5CC6432A3315A3C66AA22E6854F66551CB4BB3479E3D873DAD2CACC465E9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.0.2.8.6.9.6.3.7.9.3.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.0.2.8.6.9.6.8.0.8.3.6.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.f.5.5.c.a.2.-.9.2.7.8.-.4.6.4.0.-.b.0.a.f.-.0.3.e.c.c.5.5.c.6.8.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.0.c.e.b.d.-.1.a.1.7.-.4.8.e.5.-.a.c.9.9.-.e.1.b.a.a.0.b.4.2.6.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.i.g.m.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.d.0.-.0.0.0.1.-.0.0.1.9.-.a.0.a.f.-.4.1.5.3.6.9.a.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.f.d.6.1.c.3.d.8.3.0.e.f.a.b.2.7.7.c.a.e.0.1.3.5.8.3.8.0.8.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.2.8.9.d.5.7.e.0.2.9.2.c.c.9.4.5.c.1.5.9.8.4.c.6.4.5.d.a.9.4.b.3.7.9.2.5.e.0.6.e.!.S.i.g.m.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.2.6.:.1.2.:.2.0.:.1.4.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76D6.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 2 00:51:36 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	309500
Entropy (8bit):	1.307767036662427
Encrypted:	false
SSDEEP:	768:EyY5VLqiG9FoOz2E3yHFX0I24YvZlDzT9WDdNOQn:r/iG9FoOyE3yHFX0I24YvZlDcOQn
MD5:	5F07A30901580AA8A8CBD3A734D6DFB5
SHA1:	3F631C041C89DDBA4729DC13DE0BBC289FD069C8
SHA-256:	DAAC69226842FC583B1F6B5005D0E285EA9EF50F66751DDB9DFA09CD108DDB1E
SHA-512:	AAC4E6917150769B7035E1D592E24F652B352B557B5AA5DF9B4AC143E53D38B802DABD8A8BA2BD5927F4223FC68707FE1D0AA80713652C75FD4369ADDE0763AB
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............$...............,......................T.......8...........T...............\.......................................................................................................eJ......@.......Lw......................T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7783.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8746
Entropy (8bit):	3.698497209428264
Encrypted:	false
SSDEEP:	192:R6l7wVeJVTS6YnU/4gmfcmY2IrKprt89bYH1fkIm:R6lXJhS6YUQgmfcmY2IhYVfK
MD5:	F434BB3914BD1F09B9174C4A57243DCD
SHA1:	5D01859A44252BE1756EB829C7BA6350B1F0F87E
SHA-256:	82FA228652B22A08DB4B039A5169C366D3459ACE06366D00EBCB15B0877CBD02
SHA-512:	3D365DD30CE7B9F32E5891CED95C5A40AAA395414D4AC3ECC9376FD1F4962F0313D43AA0E86C4FBA888D7FD021757F72EDA522CE6EAF316C1A8F3F9F4B7D2C20
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77A3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4602
Entropy (8bit):	4.421188312416305
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg771I9FqWda80aQ6Ym8M4J726FeQoyq85Xv4Y/f2d:uIjf7I7aLdlQJCh5+4Y/f2d
MD5:	FE13317E8D220F6169E929A293310BB7
SHA1:	D9273A9EBCAB3D0D21FEE6CC521277E83299C164
SHA-256:	465BF27829BC865D251B126348C2D628C743EB9BE0642364EA7787F9CE93DDDA
SHA-512:	60D00BF4C281C3656F676135374A7161016F314B9B43548DB927A3A4FB319128C9E8BF5D8F88C299BB1185D86AE69E466CBCE7F9F0875501F81950B3BF422CE8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="787194" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
File Type:	ASCII text, with very long lines (8866), with CRLF line terminators
Category:	dropped
Size (bytes):	10039
Entropy (8bit):	4.359905444201461
Encrypted:	false
SSDEEP:	192:YU9iVgKkHUIDMWAwJ+ujvyC1f6lPK9pino7BuzAFFd49nxUla5fgZljMggma:+VaV+
MD5:	42477723E227FECF72DA06CC51161407
SHA1:	97E4A32BC86F463888E6D307DAE4F9750666B289
SHA-256:	FF5982FDC40F127606CF5430A1872855A093A9B91775F87387F37DD614F23188
SHA-512:	9BDAA5FA62A32062BE5F21E110A0CEB8DBEB72FA0E61B8C4F2F308C239B5F0D7CFB178D2CC2BEC0C72CFDD40179DD7C3E3E9D5A2A75B78DC1540D7604209F1A6
Malicious:	false
Reputation:	low
Preview:	discord.gg/pubslounge.... .. /$$$$$$$ /$$$$$$$ /$$ ..\| $$__ $$ \| $$__ $$ \| $$ ..\| $$ \ $$ /$$$$$$ /$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$ \| $$ \ $$ /$$ /$$\| $$$$$$$ ..\| $$ \| $$ /$$__ $$\| $$__ $$\| $$ \| $$\| $$ /$$//$$__ $$ \| $$$$$$$/\| $$ \| $$\| $$__ $$ ..\| $$ \| $$\| $$$$$$$$\| $$ \ $$\| $$ \| $$ \ $$/$$/\| $$ \ $$ \| $$____/ \| $$ \| $$\| $$ \ $$ ..\| $$ \| $$\| $$_____/\| $$ \| $$\| $$ \| $$ \ $$$/ \| $$ \| $$ \| $$ \| $$ \| $$\| $$ \| $$ ..\| $$$$$$$/\| $$$$$$$\| $$ \| $$\| $$$$$$/ \ $/ \| $$$$$$/ \| $$ \| $$$$$$/\| $$$$$$$/ ..\|_______/ \_______/\|__/ \|__/ \______/ \_/ \______/ \|__/ \______/ \|_______/ ....Game: Black Myth Wukong ..Path: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong..------------------------------------------------------------..[>

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.996770301859017
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Black Myth Wukong Sigma Downloader.zip
File size:	5'993'588 bytes
MD5:	20f570224521e29be00f00760eb19908
SHA1:	cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:	7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
SHA512:	554864980a6009914b16435a07f3892d8277b235915220f10db12a9fa17f479788bb71ab99ef204e3e01f8ae610923a18a55bf4c9cbf7e9ba6d376d13c026d33
SSDEEP:	98304:y92MnCktXhi/mziR92lYuXT9yyESogtzt50QWLGtvd9Rtahx8enkGIYRc2G5xOl6:y92CFXhRQ9kPElgV4QWId9DaL8eXa2GF
TLSH:	895633AB4B5956BD26ABF32C282E82F6CF09D10C3C564C60109EF5F533DA8C5D6CAD16
File Content Preview:	PK.........rzZI)...q[.........Sigma.exe...x.U..\..N..TG@.$.H..A..5........... .FPF.t..E.N$..V.=..g.u.>u6.Q6.N...H"....Wl..3! ..9.V..D.7.....}..n.{......{.{....q...c1....?.w..\|........J...n1.o..2..R{..Ew........s."...;.K.....cwO.l...yw.....C.q..W.....L..9.

File Icon


Icon Hash:	1c1c1e4e4ececedc

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 84
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 02:51:27.424815893 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:27.424904108 CEST	443	49705	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:27.425012112 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:27.439996004 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:27.440032959 CEST	443	49705	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:27.632494926 CEST	443	49705	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:27.632605076 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:27.643201113 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:27.643280029 CEST	443	49705	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:27.643374920 CEST	49705	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554148912 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554157019 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554184914 CEST	443	49730	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.554231882 CEST	443	49731	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.554279089 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554299116 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554318905 CEST	443	49732	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.554363012 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554413080 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554855108 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554883003 CEST	443	49731	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.554960966 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.554984093 CEST	443	49732	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555182934 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555191994 CEST	443	49733	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555269003 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555318117 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555336952 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555336952 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555349112 CEST	443	49730	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555351019 CEST	443	49734	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555401087 CEST	443	49735	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555453062 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555478096 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555774927 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555788040 CEST	443	49733	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555795908 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555835962 CEST	443	49735	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.555891991 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.555927992 CEST	443	49734	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.556355000 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.556428909 CEST	443	49736	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.556713104 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.556827068 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.556864977 CEST	443	49737	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.556930065 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.556941032 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.556973934 CEST	443	49738	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.557204962 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557444096 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557482958 CEST	443	49736	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.557554007 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557571888 CEST	443	49737	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.557624102 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557646990 CEST	443	49739	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.557842016 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557883978 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.557903051 CEST	443	49738	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.558060884 CEST	49740	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.558069944 CEST	443	49740	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.558084965 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.558103085 CEST	443	49739	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.558196068 CEST	49740	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.558693886 CEST	49740	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.558705091 CEST	443	49740	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.559382915 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.559393883 CEST	443	49741	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.559516907 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.559856892 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.559870005 CEST	443	49741	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.742086887 CEST	443	49731	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.742234945 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.743299961 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.743355036 CEST	443	49731	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.743411064 CEST	49731	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.745239019 CEST	443	49733	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.745342970 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.746562004 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.746609926 CEST	443	49733	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.746690989 CEST	49733	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.750247955 CEST	443	49734	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.750413895 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.751267910 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.751332045 CEST	443	49734	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.751463890 CEST	443	49734	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.751497030 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.751524925 CEST	49734	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.751801014 CEST	443	49739	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.751940966 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.752624035 CEST	443	49735	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.752775908 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.753077030 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.753113985 CEST	443	49739	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.753202915 CEST	443	49739	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.753256083 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.753256083 CEST	49739	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.753643036 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.753706932 CEST	443	49735	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.753814936 CEST	49735	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.755317926 CEST	443	49738	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.755412102 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.755965948 CEST	443	49732	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.756043911 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.756247044 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.756462097 CEST	443	49738	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.756531954 CEST	49738	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.756819963 CEST	443	49736	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.756899118 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.756931067 CEST	443	49741	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.756989956 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757035017 CEST	443	49730	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.757172108 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757328033 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757368088 CEST	443	49732	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.757416010 CEST	49732	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757776022 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757819891 CEST	443	49736	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.757945061 CEST	443	49736	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.757972956 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.757981062 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.758009911 CEST	49736	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.758023024 CEST	443	49741	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.758066893 CEST	49741	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.758269072 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.758296967 CEST	443	49730	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.758394957 CEST	443	49730	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.758475065 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.758475065 CEST	49730	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.760317087 CEST	443	49737	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.760467052 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.760685921 CEST	443	49740	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.760762930 CEST	49740	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.761240959 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.761400938 CEST	443	49737	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.761471033 CEST	49737	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.761977911 CEST	49740	443	192.168.2.16	104.71.182.190
Apr 2, 2025 02:51:36.762171030 CEST	443	49740	104.71.182.190	192.168.2.16
Apr 2, 2025 02:51:36.762273073 CEST	49740	443	192.168.2.16	104.71.182.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 02:51:27.302573919 CEST	54075	53	192.168.2.16	1.1.1.1
Apr 2, 2025 02:51:27.405354023 CEST	53	54075	1.1.1.1	192.168.2.16
Apr 2, 2025 02:51:36.452719927 CEST	55947	53	192.168.2.16	1.1.1.1
Apr 2, 2025 02:51:36.551925898 CEST	53	55947	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 02:51:27.302573919 CEST	192.168.2.16	1.1.1.1	0x3db	Standard query (0)	api.steampowered.com	A (IP address)	IN (0x0001)	false
Apr 2, 2025 02:51:36.452719927 CEST	192.168.2.16	1.1.1.1	0xc224	Standard query (0)	api.steampowered.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 02:51:27.405354023 CEST	1.1.1.1	192.168.2.16	0x3db	No error (0)	api.steampowered.com		104.71.182.190	A (IP address)	IN (0x0001)	false
Apr 2, 2025 02:51:36.551925898 CEST	1.1.1.1	192.168.2.16	0xc224	No error (0)	api.steampowered.com		104.71.182.190	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• rundll32.exe
• Sigma.exe
• conhost.exe
• cmd.exe
• WerFault.exe
• Sigma.exe
• conhost.exe
• cmd.exe

Click to jump to process

Memory Usage

• rundll32.exe
• Sigma.exe
• conhost.exe
• cmd.exe
• WerFault.exe
• Sigma.exe
• conhost.exe
• cmd.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	20:50:48
Start date:	01/04/2025
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff7174e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:51:10
Start date:	01/04/2025
Path:	C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Imagebase:	0x7ff67cd10000
File size:	8'707'584 bytes
MD5 hash:	FEF6B28CE1384A402B6F2EB2162C07AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:51:10
Start date:	01/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6aa7d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:51:10
Start date:	01/04/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff7d1030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:51:36
Start date:	01/04/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048
Imagebase:	0x7ff674fb0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:52:20
Start date:	01/04/2025
Path:	C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Imagebase:	0x7ff67cd10000
File size:	8'707'584 bytes
MD5 hash:	FEF6B28CE1384A402B6F2EB2162C07AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	20:52:20
Start date:	01/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6aa7d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	20:52:20
Start date:	01/04/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff7d1030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigma.exe_144c8af7cd7c54c2c2253da73a2bfa3ff06fe5ad_500bce02_45f55ca2-9278-4640-b0af-03ecc55c68d2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76D6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7783.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77A3.tmp.xml

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: rundll32.exePID: 7016, Parent PID: 796

General

File Activities

File Opened

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip