Play interactive tour

Edit tour

Analysis Report payload.exe

Overview

General Information

Sample Name:	payload.exe
Analysis ID:	433772
MD5:	b06395f18df7aec3d7c00aa219594631
SHA1:	83e8ebe8e706fe4fdb0220cac18094ca4caa0259
SHA256:	1d9bccec9ebbe9e1b0947bdbb0a80c09e7277b2af65a4d25d64d99606d2a7b3a
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

payload.exe (PID: 2596 cmdline: 'C:\Users\user\Desktop\payload.exe' MD5: B06395F18DF7AEC3D7C00AA219594631)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: payload.exe

Avira: detected

Source: payload.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: payload.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: m.pdb*, q_Hi source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source:	Binary string: 0C:\Windows\System.pdbG>g source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp

Source: payload.exe, 00000001.00000002.1297195072.000000000053C000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs payload.exe
Source: payload.exe, 00000001.00000002.1296955099.0000000000104000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameShell.exe$ vs payload.exe
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs payload.exe
Source: payload.exe	Binary or memory string: OriginalFilenameShell.exe$ vs payload.exe

Source: payload.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 1.0.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::.ctor()
Source: 1.0.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::Main(System.String[])
Source: 1.0.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: 1.0.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::Shell()
Source: 1.0.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)
Source: payload.exe, Program.cs	Suspicious method names: System.Void Payload.Program::.ctor()
Source: payload.exe, Program.cs	Suspicious method names: System.Void Payload.Program::Main(System.String[])
Source: payload.exe, Program.cs	Suspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: payload.exe, Program.cs	Suspicious method names: System.Void Payload.Program::Shell()
Source: payload.exe, Program.cs	Suspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)
Source: 1.2.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::.ctor()
Source: 1.2.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::Main(System.String[])
Source: 1.2.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: 1.2.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::Shell()
Source: 1.2.payload.exe.100000.0.unpack, Program.cs	Suspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)

Source: classification engine

Classification label: mal48.winEXE@2/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01

Source: payload.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payload.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\payload.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\payload.exe

File read: C:\Users\user\Desktop\payload.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\payload.exe 'C:\Users\user\Desktop\payload.exe'
Source: C:\Users\user\Desktop\payload.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: payload.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: payload.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: m.pdb*, q_Hi source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source:	Binary string: 0C:\Windows\System.pdbG>g source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payload.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 420000
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419891
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419781
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419672
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419562
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419453
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419344
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419234
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419125
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419016
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418906
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418797
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418687
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418578
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418469
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418359
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418250
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418141
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418031
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417922
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417812
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417703
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417594
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417484
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417375
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417266
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417156
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417047
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416937
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416828
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416719
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416609
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416500
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416391
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416281
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416172
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416062
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415953
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415843
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415734
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415625
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415516
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415406
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415297
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415187
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415078
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414969
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414859
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414750
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414641
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414531

Source: C:\Users\user\Desktop\payload.exe	Window / User API: threadDelayed 6914
Source: C:\Users\user\Desktop\payload.exe	Window / User API: threadDelayed 2913

Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -420000s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419891s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419781s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419672s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419562s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419453s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419344s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419234s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419125s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -419016s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418906s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418797s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418687s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418578s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418469s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418359s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418250s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418141s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -418031s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417922s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417812s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417703s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417594s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417484s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417375s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417266s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417156s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -417047s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416937s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416828s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416719s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416609s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416500s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416391s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416281s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416172s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -416062s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415953s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415843s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415734s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415625s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415516s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415406s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415297s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415187s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -415078s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -414969s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -414859s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -414750s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -414641s >= -30000s
Source: C:\Users\user\Desktop\payload.exe TID: 6108	Thread sleep time: -414531s >= -30000s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 420000
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419891
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419781
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419672
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419562
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419453
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419344
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419234
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419125
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 419016
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418906
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418797
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418687
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418578
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418469
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418359
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418250
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418141
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 418031
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417922
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417812
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417703
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417594
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417484
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417375
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417266
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417156
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 417047
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416937
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416828
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416719
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416609
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416500
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416391
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416281
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416172
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 416062
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415953
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415843
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415734
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415625
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415516
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415406
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415297
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415187
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 415078
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414969
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414859
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414750
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414641
Source: C:\Users\user\Desktop\payload.exe	Thread delayed: delay time: 414531

Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: payload.exe, 00000001.00000002.1297256206.0000000000599000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\payload.exe

Memory allocated: page read and write | page guard

Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\payload.exe

Queries volume information: C:\Users\user\Desktop\payload.exe VolumeInformation

Source: C:\Users\user\Desktop\payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payload.exe	100%	Avira	HEUR/AGEN.1133230

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.payload.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1133230		Download File
1.0.payload.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1133230		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.31.2.89	unknown	Reserved		7018	ATT-INTERNET4US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433772
Start date:	13.06.2021
Start time:	19:38:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	payload.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@2/1@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target payload.exe, PID 2596 because it is empty Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:38:55	API Interceptor	3653x Sleep call for process: payload.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ATT-INTERNET4US	payload.exe	Get hash	malicious	Browse	172.31.2.56
	payload.exe	Get hash	malicious	Browse	172.31.2.71
	payload.exe	Get hash	malicious	Browse	172.31.2.100
	mssecsvr.exe	Get hash	malicious	Browse	71.149.37.79
	Docc.html	Get hash	malicious	Browse	13.36.218.177
	fL8BN6Qdsu.dll	Get hash	malicious	Browse	13.32.16.68
	#Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htm	Get hash	malicious	Browse	13.36.218.177
	mjzvlwau	Get hash	malicious	Browse	13.171.225.162
	MedMooc.exe	Get hash	malicious	Browse	172.17.0.207
	FAX.HTML	Get hash	malicious	Browse	13.36.218.177
	K9pRfTme7J.exe	Get hash	malicious	Browse	172.18.60.217
	K9pRfTme7J.exe	Get hash	malicious	Browse	172.18.60.217
	project-a.exe	Get hash	malicious	Browse	172.129.113.237
	project-a.exe	Get hash	malicious	Browse	172.129.113.237
	OW73NJTujh.dll	Get hash	malicious	Browse	12.96.42.215
	S5.exe	Get hash	malicious	Browse	12.176.148.42
	_cro.exe	Get hash	malicious	Browse	172.16.2.1
	EKSkwdJJI7.exe	Get hash	malicious	Browse	172.19.255.48
	DA1wxOjE9C.exe	Get hash	malicious	Browse	13.36.178.139
	XPChvE6GQd	Get hash	malicious	Browse	45.30.40.164

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	784
Entropy (8bit):	4.821721066094882
Encrypted:	false
SSDEEP:	12:pqecNtxWvWlGxWVDroBitqecNtxWvWlGxWVDroBO:rcNtxHlG8VXTHcNtxHlG8VXv
MD5:	C147D87539490FCE026C828437C09B01
SHA1:	A921A72CCBED142579DE211DA005FB65AE713A07
SHA-256:	12AE6114710970B7297DD8C52A0874FA455E11F96235FC38DD863A6174213629
SHA-512:	D686D4EFA3C7D5CD152AB535B2EC95EEFE66D70A60A85C2E9A79202481879D67117B24254543E173BBA56461BD80098D49FABE0D107427D32D772903CF5080F4
Malicious:	false
Reputation:	low
Preview:	System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.31.2.89:56.. at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port).. at Payload.Program.Shell().. at Payload.Program.<Main>m__0(Object e)System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.31.2.89:56.. at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port).. at Payload.Program.Shell().. at Payload.Program.<Main>m__0(Object e)

Static File Info

General
File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.742190561091188
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	payload.exe
File size:	5120
MD5:	b06395f18df7aec3d7c00aa219594631
SHA1:	83e8ebe8e706fe4fdb0220cac18094ca4caa0259
SHA256:	1d9bccec9ebbe9e1b0947bdbb0a80c09e7277b2af65a4d25d64d99606d2a7b3a
SHA512:	76402a28a309311854efbd07589187a59bb90a696e9fdb662c921a7f98633c0e73f476c5e1d71404a7c0ad5d09edee7e40d5ff8d1ac310a792c93faef5e89e2f
SSDEEP:	48:6HkFjGNa8766G8KH4duogo+bAcyMuPCU2Z+FK16+k+lDUrinJmwJL0TQZtEOPulr:7Fj8G8KH49go+E1PCUUdTUrs7bsP0M
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................................>*... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402a3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x2d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa44	0xc00	False	0.5068359375	data	4.66745426327	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x2d8	0x400	False	0.328125	data	2.32307159838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x4058	0x280	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x007f 0x04b0
LegalCopyright
InternalName	Shell
FileVersion	0.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename	Shell.exe

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 13, 2021 19:38:55.633399963 CEST	49709	56	192.168.2.5	172.31.2.89
Jun 13, 2021 19:38:58.644207001 CEST	49709	56	192.168.2.5	172.31.2.89
Jun 13, 2021 19:39:04.644779921 CEST	49709	56	192.168.2.5	172.31.2.89
Jun 13, 2021 19:45:55.242383003 CEST	49746	56	192.168.2.5	172.31.2.89
Jun 13, 2021 19:45:58.255409956 CEST	49746	56	192.168.2.5	172.31.2.89
Jun 13, 2021 19:46:04.271543026 CEST	49746	56	192.168.2.5	172.31.2.89

Code Manipulations

Statistics

Behavior

• payload.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: payload.exe PID: 2596 Parent PID: 5812

General

Start time:	19:38:54
Start date:	13/06/2021
Path:	C:\Users\user\Desktop\payload.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\payload.exe'
Imagebase:	0x100000
File size:	5120 bytes
MD5 hash:	B06395F18DF7AEC3D7C00AA219594631
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Created

File Written

File Read

Analysis Process: conhost.exe PID: 5388 Parent PID: 2596

General

Start time:	19:38:54
Start date:	13/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

TCP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: payload.exe PID: 2596 Parent PID: 5812

General

File Activities

File Created

File Written

File Read

Analysis Process: conhost.exe PID: 5388 Parent PID: 2596

General

Disassembly

Code Analysis