Play interactive tour

Edit tour

Windows Analysis Report ngrok.exe

Overview

General Information

Sample Name:	ngrok.exe
Analysis ID:	445002
MD5:	074863c3352d6dda17dcb8bdc6a8929f
SHA1:	8a07e8326dec5b754becce68b5b02b85653d6029
SHA256:	3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56
Infos:
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a process in suspended mode (likely to inject code)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

ngrok.exe (PID: 3080 cmdline: 'C:\Users\user\Desktop\ngrok.exe' MD5: 074863C3352D6DDA17DCB8BDC6A8929F)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ngrok.exe (PID: 4112 cmdline: C:\Users\user\Desktop\ngrok.exe MD5: 074863C3352D6DDA17DCB8BDC6A8929F)

cmd.exe (PID: 6580 cmdline: cmd.exe /K MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ngrok.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: ngrok.exe, 00000001.00000002.929984551.00000000013A4000.00000002.00020000.sdmp, ngrok.exe, 00000003.00000000.681479977.00000000013A4000.00000002.00020000.sdmp	String found in binary or memory: http://127.0.0.1:%d/samplingincompatible
Source: ngrok.exe, 00000003.00000002.694335290.000000C0000A2000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5778/sampling
Source: ngrok.exe, 00000003.00000002.694358255.000000C0000AA000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5778/samplingbackendnmarshalingproto:
Source: ngrok.exe, 00000001.00000002.934102399.000000C000038000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5778/samplingkernel32.dllkernel32.dlladvapi32.dllRegisterServiceCtrlHandlerExWadvap
Source: ngrok.exe, 00000003.00000002.694345640.000000C0000A8000.00000004.00000001.sdmp	String found in binary or memory: https://dashboard.ngrok.com/signup

Source: ngrok.exe

Static PE information: Number of sections : 13 > 10

Source: ngrok.exe

Static PE information: Section: /19 ZLIB complexity 0.99954199549

Source: classification engine

Classification label: clean2.winEXE@6/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01

Source: ngrok.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ngrok.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe

File read: C:\Users\user\Desktop\ngrok.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ngrok.exe 'C:\Users\user\Desktop\ngrok.exe'
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: ngrok.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ngrok.exe

Static file information: File size 30718976 > 1048576

Source: ngrok.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x9f2800
Source: ngrok.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa9d400
Source: ngrok.exe	Static PE information: Raw size of /19 is bigger than: 0x100000 < 0x14ca00
Source: ngrok.exe	Static PE information: Raw size of /65 is bigger than: 0x100000 < 0x22f200
Source: ngrok.exe	Static PE information: Raw size of /78 is bigger than: 0x100000 < 0x13ba00
Source: ngrok.exe	Static PE information: Raw size of .symtab is bigger than: 0x100000 < 0x230600

Source: ngrok.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: ngrok.exe	Static PE information: section name: /4
Source: ngrok.exe	Static PE information: section name: /19
Source: ngrok.exe	Static PE information: section name: /32
Source: ngrok.exe	Static PE information: section name: /46
Source: ngrok.exe	Static PE information: section name: /65
Source: ngrok.exe	Static PE information: section name: /78
Source: ngrok.exe	Static PE information: section name: /90
Source: ngrok.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\ngrok.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ngrok.exe, 00000001.00000002.937585409.000002125D4D3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: ngrok.exe, 00000003.00000002.697405345.00000232DCFEF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ

Source: C:\Users\user\Desktop\ngrok.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Software Packing1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ngrok.exe	0%	Metadefender		Browse
ngrok.exe	3%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:5778/samplingkernel32.dllkernel32.dlladvapi32.dllRegisterServiceCtrlHandlerExWadvap	0%	Avira URL Cloud	safe
http://127.0.0.1:5778/sampling	0%	Avira URL Cloud	safe
http://127.0.0.1:5778/samplingbackendnmarshalingproto:	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/samplingincompatible	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:5778/samplingkernel32.dllkernel32.dlladvapi32.dllRegisterServiceCtrlHandlerExWadvap	ngrok.exe, 00000001.00000002.934102399.000000C000038000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dashboard.ngrok.com/signup	ngrok.exe, 00000003.00000002.694345640.000000C0000A8000.00000004.00000001.sdmp	false		high
http://127.0.0.1:5778/sampling	ngrok.exe, 00000003.00000002.694335290.000000C0000A2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:5778/samplingbackendnmarshalingproto:	ngrok.exe, 00000003.00000002.694358255.000000C0000AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/samplingincompatible	ngrok.exe, 00000001.00000002.929984551.00000000013A4000.00000002.00020000.sdmp, ngrok.exe, 00000003.00000000.681479977.00000000013A4000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445002
Start date:	06.07.2021
Start time:	23:11:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ngrok.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winEXE@6/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/445002/sample/ngrok.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.679004473128721
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ngrok.exe
File size:	30718976
MD5:	074863c3352d6dda17dcb8bdc6a8929f
SHA1:	8a07e8326dec5b754becce68b5b02b85653d6029
SHA256:	3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56
SHA512:	0ac975a182d29aa2ac8186cfffcde728cee083c98f30bd1ad11cb397699628911a2713f952155ecbdcb2a0aff55a169ea1ca1e7b22c6c029de1d0848f661ceab
SSDEEP:	196608:So+5seL+Vnj4EYkAm/r7IJCTXx2Yb+pew/iHRJiVF2SxqGBxVTmopHg1zsnYYJtF:SL+1jxA8IPpe83YsPdgJHYJMuhxoy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."......(...*...... ^........@...........................................`... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x475e20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4d028340f95202ab4f8ed495dd117513

Entrypoint Preview

Instruction
jmp 00007FAFE4A57030h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
dec eax
sub esp, 70h
dec eax
mov dword ptr [esp+50h], edi
dec eax
mov dword ptr [esp+48h], esi
dec eax
mov dword ptr [esp+40h], ebp
dec eax
mov dword ptr [esp+38h], ebx
dec esp
mov dword ptr [esp+30h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+20h], esi
dec esp
mov dword ptr [esp+58h], edi
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007FAFE4A5A7FEh
dec eax
mov eax, 00000000h
jmp 00007FAFE4A5A880h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h
jne 00007FAFE4A5A7F7h
call 00007FAFE4A5A938h
dec eax
mov dword ptr [esp+60h], edx
dec eax
mov dword ptr [esp+68h], esp
dec eax
mov ebx, dword ptr [edx+30h]
dec eax
mov ebx, dword ptr [ebx]
dec eax
cmp edx, ebx
je 00007FAFE4A5A81Fh
dec eax
mov ebp, dword ptr [00000028h]
dec eax
mov dword ptr [ebp+00000000h], ebx
dec eax
mov edi, dword ptr [ebx+38h]
dec eax
sub edi, 08h
dec eax
lea esi, dword ptr [FFFCB32Eh]
dec eax
mov dword ptr [edi], esi
dec eax
sub edi, 78h
dec eax
mov dword ptr [edi+68h], esp
dec eax
mov esp, edi
dec eax
mov ebx, dword ptr [ecx]
dec eax
mov ecx, dword ptr [ecx+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1aff000	0x4b2	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b00000	0x7770c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1492020	0x150	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9f26d0	0x9f2800	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9f4000	0xa9d3a8	0xa9d400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1492000	0xf7eb0	0xa2a00	False	0.354308284493	data	5.69601710367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
/4	0x158a000	0x119	0x200	False	0.595703125	data	4.82921592007	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x158b000	0x14c9be	0x14ca00	False	0.99954199549	data	7.99735464395	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x16d8000	0x4fddc	0x4fe00	False	0.984051007433	data	7.93386247871	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x1728000	0x5b	0x200	False	0.185546875	data	1.52153877317	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x1729000	0x22f0f2	0x22f200	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x1959000	0x13b9eb	0x13ba00	False	0.984021503713	data	7.99704263406	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x1a95000	0x692c2	0x69400	False	0.964444774347	data	7.81311590232	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x1aff000	0x4b2	0x600	False	0.338541666667	data	3.85190508087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x1b00000	0x7770c	0x77800	False	0.169069936585	data	5.45923036543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1b78000	0x2305e8	0x230600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, Sleep, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• ngrok.exe
• conhost.exe
• ngrok.exe
• cmd.exe

Click to jump to process

Memory Usage

• ngrok.exe
• conhost.exe
• ngrok.exe
• cmd.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• ngrok.exe
• conhost.exe
• ngrok.exe
• cmd.exe

Click to jump to process

System Behavior

Analysis Process: ngrok.exe PID: 3080 Parent PID: 5956

Function Logs

General

Start time:	23:12:22
Start date:	06/07/2021
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\ngrok.exe'
Imagebase:	0x9b0000
File size:	30718976 bytes
MD5 hash:	074863C3352D6DDA17DCB8BDC6A8929F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6108 Parent PID: 3080

Function Logs

General

Start time:	23:12:26
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

LPC Port Activities

Chronological Activities

Analysis Process: ngrok.exe PID: 4112 Parent PID: 3080

Function Logs

General

Start time:	23:12:34
Start date:	06/07/2021
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\ngrok.exe
Imagebase:	0x9b0000
File size:	30718976 bytes
MD5 hash:	074863C3352D6DDA17DCB8BDC6A8929F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

Chronological Activities

Analysis Process: cmd.exe PID: 6580 Parent PID: 3080

Function Logs

General

Start time:	23:12:43
Start date:	06/07/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /K
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ngrok.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ngrok.exe PID: 3080 Parent PID: 5956

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO