Edit tour

Windows Analysis Report
250428-ced55sxxcw.bin.exe

Overview

General Information

Sample name:	250428-ced55sxxcw.bin.exe
Analysis ID:	1675826
MD5:	4b97e39d1d980d37940b17c567c4b791
SHA1:	cd6960c868791b6bbd55e71453d8230be5e42c28
SHA256:	798d8f7739015018294ef4b8e953e07d8839ecb4224f6033b40a85d656fcb6e6
Tags:	user-UNP4CK
Infos:

Detection

Neconyd

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Neconyd

C2 URLs / IPs found in malware configuration

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

250428-ced55sxxcw.bin.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe" MD5: 4B97E39D1D980D37940B17C567C4B791)

WerFault.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Neconyd		No Attribution	https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Neconyd.A	https://malpedia.caad.fkie.fraunhofer.de/details/win.neconyd

Malware Configuration

Threatname: Neconyd

{
  "C2 url": [
    "http://ow5dirasuek.com/",
    "http://lousta.net/",
    "http://mkkuei4kdsz.com/"
  ]
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 250428-ced55sxxcw.bin.exe PID: 7636	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 250428-ced55sxxcw.bin.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/

Avira URL Cloud: Label: phishing

Found malware configuration

Source: 250428-ced55sxxcw.bin.exe

Malware Configuration Extractor: Neconyd {"C2 url": ["http://ow5dirasuek.com/", "http://lousta.net/", "http://mkkuei4kdsz.com/"]}

Multi AV Scanner detection for submitted file

Source: 250428-ced55sxxcw.bin.exe

Virustotal: Detection: 63%

Perma Link

Source: 250428-ced55sxxcw.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

Source: 250428-ced55sxxcw.bin.exe, 00000000.00000000.1142065860.000000000040E000.00000002.00000001.01000000.00000003.sdmp, 250428-ced55sxxcw.bin.exe, 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/
Source: 250428-ced55sxxcw.bin.exe	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected Neconyd

Source: Yara match

File source: Process Memory Space: 250428-ced55sxxcw.bin.exe PID: 7636, type: MEMORYSTR

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Code function: 0_2_00402841	0_2_00402841
Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Code function: 0_2_0040C11C	0_2_0040C11C
Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Code function: 0_2_0040D7D0	0_2_0040D7D0

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 224

Source: 250428-ced55sxxcw.bin.exe

Static PE information: No import functions for PE file found

Source: 250428-ced55sxxcw.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.bank.troj.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7636

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ff60254d-fd02-404b-b9c3-98226923d713

Jump to behavior

Source: 250428-ced55sxxcw.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 250428-ced55sxxcw.bin.exe

Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe "C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe"
Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 224

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Code function: 0_2_0040D7B5 push ecx; ret

0_2_0040D7C8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Code function: 0_2_0040AE45 LdrInitializeThunk,

0_2_0040AE45

Source: 250428-ced55sxxcw.bin.exe

Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*

Source: C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe

Code function: 0_2_0040D703 cpuid

0_2_0040D703

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
250428-ced55sxxcw.bin.exe	64%	Virustotal		Browse
250428-ced55sxxcw.bin.exe	100%	Avira	TR/Vundo.fvtym

Source	Detection	Scanner	Label	Link
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/	100%	Avira URL Cloud	phishing

Name	Malicious	Reputation
http://ow5dirasuek.com/	false	high
http://mkkuei4kdsz.com/	false	high
http://lousta.net/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/	250428-ced55sxxcw.bin.exe, 00000000.00000000.1142065860.000000000040E000.00000002.00000001.01000000.00000003.sdmp, 250428-ced55sxxcw.bin.exe, 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: phishing	unknown
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	250428-ced55sxxcw.bin.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1675826
Start date and time:	2025-04-28 04:05:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	250428-ced55sxxcw.bin.exe
Detection:	MAL
Classification:	mal84.bank.troj.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.151.133, 184.29.183.29, 20.12.23.50
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 250428-ced55sxxcw.bin.exe, PID 7636 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
22:06:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_250428-ced55sxxc_cad0dc66679a32782613d041a1fa9f1abbde509b_f88e837f_6f795332-548d-4fa4-a18c-acc143f1d5d4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6454908367238045
Encrypted:	false
SSDEEP:	96:jOFV7xoI8ds3hg1yDfYQXIDcQzc6CmcE1cw3C/+HbHg6ZAX/d5FMT2SlPkpXmTAR:6X7OI8dG0NXf/jEzuiF8Z24IO8X
MD5:	5C166632DC74EBA67117C0280C38BBA8
SHA1:	C4C31375CE300DBEB79EDB19995C48E10323A08F
SHA-256:	BF1BB1182A0EE80C204CDD84DC2A5D438AC232F03DC03E4DC00085AB79F8998D
SHA-512:	711DB60AFCE2AA9550F68CAA48848C77F2B52AB7B27372A4962DC2EA353DF13BC1985A0760208DC333DCD4573E4D726C818433B9D1E9033AE817CACE842E721A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.0.2.7.9.5.8.1.8.5.6.2.6.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.9.0.2.7.9.5.8.2.2.3.1.2.6.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.7.9.5.3.3.2.-.5.4.8.d.-.4.f.a.4.-.a.1.8.c.-.a.c.c.1.4.3.f.1.d.5.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.3.e.d.4.6.2.-.2.c.b.8.-.4.1.0.5.-.a.a.e.7.-.4.3.9.c.7.5.9.8.7.4.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.5.0.4.2.8.-.c.e.d.5.5.s.x.x.c.w...b.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.4.-.0.0.0.1.-.0.0.1.8.-.b.0.0.e.-.f.e.2.2.e.2.b.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.3.3.e.8.2.1.4.7.c.3.0.9.d.a.e.3.9.9.f.c.7.f.8.f.e.5.2.b.a.a.b.0.0.0.0.f.f.f.f.!.0.0.0.0.c.d.6.9.6.0.c.8.6.8.7.9.1.b.6.b.b.d.5.5.e.7.1.4.5.3.d.8.2.3.0.b.e.5.e.4.2.c.2.8.!.2.5.0.4.2.8.-.c.e.d.5.5.s.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2BC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Apr 28 02:06:21 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	19462
Entropy (8bit):	2.019789298374241
Encrypted:	false
SSDEEP:	96:5m8cg84Co8cLy0pTi7nSYRekdZLnapmFx/W7+/FWI/WIwLbZ2/Cu:LI69m+OnUkdZCKx+7w+2q
MD5:	0561341083E94FD5841139E4839E8CD6
SHA1:	C51BF67D53F72A20B21236EE4D6DC1812D718013
SHA-256:	B7E671F6E276523EC3CAED950329279C8B301D54FE73212A5A7EBF2702A8A844
SHA-512:	75FEF70486D15BD09231F768519D4FD73E41BCADA96B95161AE96042F5FBFB9BADB4F209E64A520CFEF59120F84D5D9A7FD7D63F0A0725AC5C774AE7585C992A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........h............4...............<.......T...............T.......8...........T...........H....B......................................................................................................eJ......L.......GenuineIntel............T..............h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD31B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.6957655367990623
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/G6C06Y6TSU9gHZgmfkJbWOUpxt89bmTsf8jim:R6lXJO6C06YeSU9gHZgmfkJbWOZm4f8H
MD5:	247FBC019986D9B1034D212E3589CF81
SHA1:	F0817CBEE1B8B7B4B50D7DB3FE49781791A9A175
SHA-256:	F254082A7061D2BDC5DDA309E0A38A5CC1A5C530C97E951E75532F2CF7FABFB0
SHA-512:	5958808A621E817EA0DF971657E06434F7CAF34AC97C228F3216C0B7F09E0947B12723250FEEBD5481757D1EDF0F6AEF74E82AB928B89E31B243CCCB43941E76
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.473968330888085
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9tqWpW8VY8Ym8M4JfrbuF2+q8QSUE00ovZijJd:uIjfwI7bL7VoJfr1PLEZoUjJd
MD5:	424292864471E9E64B002638075B0C4C
SHA1:	2CC2DCB575FC81FB475E238A19869C70404BF176
SHA-256:	2C385B3FF1E7317C1A17DC4751EF4589A9BF309645F7E270F7464B84C354BA03
SHA-512:	927AFD051293368D28E9029592E907E7287FE9CC3D5E17A310A84DFD1E72A4E6C476D39E47F584BE53EC7624E54B48A614D0A4D5C762D90300905AED1F507C26
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824709" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46871520237646
Encrypted:	false
SSDEEP:	6144:aIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABlVuNxdwBCswSb9:vXD94QWlLZMM6YFUP+9
MD5:	451184C1AF3514DCBB5CB4C394746F55
SHA1:	8BC69A9FB40EF47251891D9C9366AC04A5FA4464
SHA-256:	070CE1686045D1DF20CC8958FB9B2C502360D3E2DF43F1184720923CA4321B8A
SHA-512:	E70A1AB0FEC3683C5A24440F552DDD44DEB9FD8A88770592A850E47729695CE526E92F5CD3AC8E7A4B020AE83813E0EAC0FE0CAEC5ECF39A1A77CC42EFEA836F
Malicious:	false
Reputation:	low
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..,#................................................................................................................................................................................................................................................................................................................................................7:.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.07536607272216
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	250428-ced55sxxcw.bin.exe
File size:	167'936 bytes
MD5:	4b97e39d1d980d37940b17c567c4b791
SHA1:	cd6960c868791b6bbd55e71453d8230be5e42c28
SHA256:	798d8f7739015018294ef4b8e953e07d8839ecb4224f6033b40a85d656fcb6e6
SHA512:	4c1aed05ce064cce757d71a10ae0183a14ca19e06d9007f1e382bf66a9ba6ec0715479272ac65ab2d7fc55e03181dce85e0fc32002e9a3ba7b47916a029a35c1
SSDEEP:	1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZQl/5:mdseIOMEZEyFjEOFqTiQmSl/5
TLSH:	CFF38C95B2F9C075E1A309F16A7DAA91C9FEBD3815A0D5C7D3101C8B6EB41D2C23938B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L......P...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b346
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50B4DEB4 [Tue Nov 27 15:39:32 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
mov esi, eax
mov eax, dword ptr [esp+0Ch]
xor edx, edx
lea ebx, dword ptr [ecx+04h]
div ebx
push edi
xor edi, edi
inc edi
mov eax, edx
test eax, eax
jne 00007F67EC70605Ah
cmp dword ptr [esp+10h], edx
je 00007F67EC706054h
xor edi, edi
cmp eax, ecx
jnl 00007F67EC706059h
call 00007F67EC7032E6h
jmp 00007F67EC706062h
sub eax, ecx
mov edx, dword ptr [00411020h+eax*4]
push esi
call 00007F67EC700DE7h
pop ecx
mov eax, edi
pop edi
pop esi
pop ebx
ret
push ebp
mov ebp, esp
sub esp, 00000528h
push ebx
push esi
xor esi, esi
cmp dword ptr [004114E4h], esi
push edi
jne 00007F67EC706069h
jmp 00007F67EC70605Dh
push 00002710h
call dword ptr [0040E070h]
call 00007F67EC7025BBh
cmp eax, 01h
jne 00007F67EC70603Dh
lea eax, dword ptr [ebp-0000025Ch]
push eax
mov edx, 0040F428h
mov dword ptr [ebp-08h], esi
call 00007F67EC700D9Fh
pop ecx
lea eax, dword ptr [ebp-5Ch]
mov ecx, 000002C1h
call 00007F67EC700F79h
push eax
lea eax, dword ptr [ebp-0000025Ch]
push eax
call 00007F67EC700D9Ch
cmp dword ptr [ebp+08h], esi
pop ecx
pop ecx
lea eax, dword ptr [ebp-5Ch]
jne 00007F67EC70605Eh
mov word ptr [ebp-5Ch], 0030h
mov word ptr [ebp-5Ah], si
jmp 00007F67EC70605Ah
mov ecx, dword ptr [ebp+08h]
call 00007F67EC700F4Eh
push eax
lea eax, dword ptr [ebp-0000025Ch]
push eax
call 00007F67EC700D71h

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[ C ] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf77c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf6a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcc18	0xce00	d0966d2bff525ddfdb5da1da9f6fe144	False	0.5682076759708737	data	6.437061179508022	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2144	0x2200	c4bd2f37e003ad9c2721891f498fb02a	False	0.4465762867647059	data	4.7204252362917885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x1712c	0x200	fd2a4eaf3d2434f8a9745d122843b984	False	0.49609375	data	3.2871307815025523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

• 250428-ced55sxxcw.bin.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• 250428-ced55sxxcw.bin.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	22:06:21
Start date:	27/04/2025
Path:	C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\250428-ced55sxxcw.bin.exe"
Imagebase:	0x400000
File size:	167'936 bytes
MD5 hash:	4B97E39D1D980D37940B17C567C4B791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:06:21
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 224
Imagebase:	0x840000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00402841 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

@, xrefs: 00402D0A
0, xrefs: 00402D75
0, xrefs: 00402887
0, xrefs: 00402D4E
0, xrefs: 00402A62

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: 0$0$0$0$@
API String ID: 0-2141838920
Opcode ID: 6233d21f8f41c6638991a27769a998e9ca261c0ed22ed58732cfb5906a9e8f33
Instruction ID: 9153a553463f483b47784e82c729639367dc34dfce62b0d5a81b228ab25cdc34
Opcode Fuzzy Hash: 6233d21f8f41c6638991a27769a998e9ca261c0ed22ed58732cfb5906a9e8f33
Instruction Fuzzy Hash: 5BF1E2729101189ACB14FBA6CC959FE737CEF00304F5144BFE506BA1C2EB78AE558B99

Function 0040AE45 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

J4@, xrefs: 0040AE9E, 0040AEA1

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: J4@
API String ID: 0-1337615203
Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction ID: b3e08a46979bcc44f3701220f69decd605735954be50bc31d726fec0d947a342
Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction Fuzzy Hash: 85118F72C10219ABCB00DFAADD448DFBBB9FF08354B11456AF415B7250E770AA24CFA4

Function 0040C11C Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction ID: bb4188e3137251c5ef03231516b1bccc34eae6464746aef1c6c7755c91698918
Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction Fuzzy Hash: FA423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50

Function 00403A3E Relevance: 12.8, Strings: 10, Instructions: 309COMMON

Download Yara Rule

Strings

<@, xrefs: 00403DEE
T@, xrefs: 00403C1A
8@, xrefs: 00403BBA
t@, xrefs: 00403CC8
8@, xrefs: 00403DAC
d@, xrefs: 00403B16
<@, xrefs: 00403BFE
h@, xrefs: 00403C5E
H@, xrefs: 00403C0F
4@, xrefs: 00403AF1

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: 4@$8@$8@$<@$<@$H@$T@$d@$h@$t@
API String ID: 0-2194008548
Opcode ID: a41154f483eb2feb1f8cdb101e40aab1ea6037569e005d2c7b1be5427c8e0573
Instruction ID: ea7aa2e8a72f0b8af36fe67b963cf4a3da25b8daa1658a789c650762398d7004
Opcode Fuzzy Hash: a41154f483eb2feb1f8cdb101e40aab1ea6037569e005d2c7b1be5427c8e0573
Instruction Fuzzy Hash: 64B19172A001199BCB14EF61C992AEE77ADEF44308F00807FF54AE72D1DE389A558B59

Function 00404810 Relevance: 8.9, Strings: 7, Instructions: 173COMMON

Download Yara Rule

Strings

&, xrefs: 00404907
,@, xrefs: 004049A1
$, xrefs: 004048F9
D@, xrefs: 00404841
#, xrefs: 0040490E
)%, xrefs: 00404963
`@, xrefs: 0040482F

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: #$$$&$,@$D@$`@$)%
API String ID: 0-2724842122
Opcode ID: 26a60c882627c28867f677b4a624bccb3a598a0c665a57cbf2964444da996c58
Instruction ID: 94b29c303d9d399fe0bc6e23d13c2a58fe72b0f138493bdc02a4d5f2fa3b87be
Opcode Fuzzy Hash: 26a60c882627c28867f677b4a624bccb3a598a0c665a57cbf2964444da996c58
Instruction Fuzzy Hash: 305151B2D0011CABDB10DAA1DC45FDFB3BCAB88314F104577E619F7181EA789B898B65

Function 00405E29 Relevance: 7.6, Strings: 6, Instructions: 134COMMON

Download Yara Rule

Strings

hOA, xrefs: 00405F05
t@, xrefs: 00405F18
8@, xrefs: 00405E75
D@, xrefs: 00405FB2
h@, xrefs: 00405ED0
<@, xrefs: 00405EB4

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: 8@$<@$D@$hOA$h@$t@
API String ID: 0-2441936998
Opcode ID: 8cbc25bc6f241cd323617c33a3fb4c2ed11cad7dc1421c47a3ca21e630fc7398
Instruction ID: 94b7fb8decd46a348e423e30dc2346661a29f8794114b39d7ce5c1f521f8a046
Opcode Fuzzy Hash: 8cbc25bc6f241cd323617c33a3fb4c2ed11cad7dc1421c47a3ca21e630fc7398
Instruction Fuzzy Hash: DD41B531A4052886CB14EBA2CD428EF73A9EF44314F11407FE546B71D1EE3C9E998B5A

Function 00407A69 Relevance: 6.4, Strings: 5, Instructions: 130COMMON

Download Yara Rule

Strings

8@, xrefs: 00407AD2
0, xrefs: 00407AF5
t@, xrefs: 00407B8E
<@, xrefs: 00407B14
h@, xrefs: 00407B2E

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: 0$8@$<@$h@$t@
API String ID: 0-934552043
Opcode ID: 0c54be42a940ada7c01b93dada624c6ca767a6853eaa88d115c889b82e9b7449
Instruction ID: 2b7ade813d214d8807da9916cea949f1e3cbf777fea247587ab77483a9acfd33
Opcode Fuzzy Hash: 0c54be42a940ada7c01b93dada624c6ca767a6853eaa88d115c889b82e9b7449
Instruction Fuzzy Hash: 55419531A0021896DB15EBA2DC51BDE7369FF44308F0044BFF50AB71C1DB38AEA48B5A

Function 00408E48 Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

., xrefs: 00408EB7
A@, xrefs: 00408F3F
@@, xrefs: 00408E5E
A@, xrefs: 00408F79
., xrefs: 00408ECE

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: A@$A@$.$.$@@
API String ID: 0-1869345758
Opcode ID: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
Instruction ID: b7165ad25587a7a69c6d8a300c86c782a8266dc970247c1bcc76e0e0d1260b72
Opcode Fuzzy Hash: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
Instruction Fuzzy Hash: 0641333140021EABCF219F60DE48BDE7B76AF44318F1441BAF984B11A1DB798DA5CB99

Function 0040B893 Relevance: 6.4, Strings: 5, Instructions: 105COMMON

Download Yara Rule

Strings

d, xrefs: 0040B9B6
p*commander*, xrefs: 0040B8DB
hOA, xrefs: 0040B8C0
0, xrefs: 0040B912
*totalcmd*, xrefs: 0040B937

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: *totalcmd*$0$d$hOA$p*commander*
API String ID: 0-3173151310
Opcode ID: 361b551e5094931bfd2fa5e0cf847c6448ef0442fc10ad5ae28c408333034189
Instruction ID: 20ba859c4456204375ac288962c0d4f821fd98130ff7dde681f623e34bacb19d
Opcode Fuzzy Hash: 361b551e5094931bfd2fa5e0cf847c6448ef0442fc10ad5ae28c408333034189
Instruction Fuzzy Hash: C431BDB2D041199ADF10BBA6DC8599E77B8EF80304F10847FE605B72C1DB3C59558B9D

Function 0040DB50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__FindPESection.LIBCMT ref: 0040DBA9

Strings

begun.ru, xrefs: 0040DB6C
//%S:%S@%S:%u, xrefs: 0040DB55

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID: FindSection
String ID: //%S:%S@%S:%u$begun.ru
API String ID: 3341428096-1438209592
Opcode ID: 31054d8d1442c9c5b837356f012453f620386bd76762cb394a3f8c8ec8ea57fc
Instruction ID: cc3e13047c083961264f434c74dfb90550f376de9bd551226838407549af4135
Opcode Fuzzy Hash: 31054d8d1442c9c5b837356f012453f620386bd76762cb394a3f8c8ec8ea57fc
Instruction Fuzzy Hash: 6211E972A442089BC710DF9DED42B5ABBF4E704765F20423BE815E36C0D739A5048698

Function 0040BECE Relevance: 5.2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

\settings\general\favorites, xrefs: 0040C0D9
lder, xrefs: 0040BFAD
*commander*, xrefs: 0040BF6E
ins\ftp\hosts, xrefs: 0040BFA8

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: *commander*$\settings\general\favorites$ins\ftp\hosts$lder
API String ID: 0-2914342276
Opcode ID: f65970d4df5f3037a1e0893a167fc332f11d48b6b171e351ee656ef5df9bf048
Instruction ID: 3db967db00a2244ca47b9e1ed6561ecf852ee8f9928ea22d9fef9dc49780dacd
Opcode Fuzzy Hash: f65970d4df5f3037a1e0893a167fc332f11d48b6b171e351ee656ef5df9bf048
Instruction Fuzzy Hash: D251A672500215AAE720B7B29D46FAB326CEF04745F14447BFA05F10D2EF7C9A448AAE

Function 00402073 Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

0, xrefs: 0040211A
p@, xrefs: 004021BD
d@, xrefs: 00402176
0, xrefs: 00402138

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: 0$0$d@$p@
API String ID: 0-1769311377
Opcode ID: 5d8a42cc8806cdfed02ce9c24aa308994c24c1bc3c82fbe3f2b4d2a78091fded
Instruction ID: e496d1ffbfb60b48b6e3a8efa0e6a9778fd141815191053366d62fec5d75beff
Opcode Fuzzy Hash: 5d8a42cc8806cdfed02ce9c24aa308994c24c1bc3c82fbe3f2b4d2a78091fded
Instruction Fuzzy Hash: 50510330600644CBDB21DF15C8419EABBE1FF44344F10447EE586AB3E2D7B4ACA2CB99

Function 00404340 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

0@, xrefs: 0040436D
H@, xrefs: 0040435E
#, xrefs: 004043DC
&, xrefs: 004043EA

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: #$&$0@$H@
API String ID: 0-1908301121
Opcode ID: d1c0da0a2e990da04c6469d913f7c9953384b46cee7731d8c0cdb13b4e7936e3
Instruction ID: c151c07649e95d39f4eb0f61aebfc97a51e42000f5abc99762f11e41b2c12040
Opcode Fuzzy Hash: d1c0da0a2e990da04c6469d913f7c9953384b46cee7731d8c0cdb13b4e7936e3
Instruction Fuzzy Hash: 953162B290011CBADB10EAE5DC86EDFB7BCEB84304F10457BF605F7181EA389A458B65

Function 0040AF45 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

om: , xrefs: 0040AFEA
tml, xrefs: 0040AFDA
ontrol, xrefs: 0040AFF9
d@, xrefs: 0040AFA8

Memory Dump Source

Source File: 00000000.00000002.2395386734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2395340809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395431420.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395475466.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2395507250.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_250428-ced55sxxcw.jbxd

Similarity

API ID:
String ID: d@$om: $ontrol$tml
API String ID: 0-3228015729
Opcode ID: 0062d979bbb22590373897c344060e8ae2a600867fade6592f3e24b0b145be59
Instruction ID: 2a12df24fd92f45ab4adce4db6b05336b53dbee4c24439c31815630517e69ac8
Opcode Fuzzy Hash: 0062d979bbb22590373897c344060e8ae2a600867fade6592f3e24b0b145be59
Instruction Fuzzy Hash: F13195717001198BCB24EE65E88166E3365EF90304F05807FF61ABB2D1DB39DE648B5E

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 250428-ced55sxxcw.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Neconyd

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_250428-ced55sxxc_cad0dc66679a32782613d041a1fa9f1abbde509b_f88e837f_6f795332-548d-4fa4-a18c-acc143f1d5d4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2BC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD31B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
250428-ced55sxxcw.bin.exe