Create Interactive Tour

Windows Analysis Report
Arellia.Agent.Service.exe

Overview

General Information

Sample Name:	Arellia.Agent.Service.exe
Analysis ID:	611526
MD5:	9da766e46e5e27e743ef65583bbce116
SHA1:	4b148cda21c22ee30b621ef9027a597550ef87f9
SHA256:	48483bc4987f9cf0713b785174cdd588a8c5c03f0b9214f226710716131bb4e8
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Allocates memory with a write watch (potentially for evading sandboxes)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

Arellia.Agent.Service.exe (PID: 3920 cmdline: "C:\Users\user\Desktop\Arellia.Agent.Service.exe" MD5: 9DA766E46E5E27E743EF65583BBCE116)

conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 3576 cmdline: C:\Windows\system32\WerFault.exe -u -p 3920 -s 836 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arellia.Agent.Service.exe" , ParentImage: C:\Users\user\Desktop\Arellia.Agent.Service.exe, ParentProcessId: 3920, ParentProcessName: Arellia.Agent.Service.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 2424, ProcessName: conhost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Arellia.Agent.Service.exe

Static PE information: certificate valid

Source: Arellia.Agent.Service.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\vstsagent\_work\13\s\Arellia.Agent.Service\obj\x64\Release\Arellia.Agent.Service.pdb source: Arellia.Agent.Service.exe
Source:	Binary string: mscorlib.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: Arellia.Agent.Service.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb*Z source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: Arellia.Agent.Service.pdbh source: WERAC7D.tmp.dmp.4.dr

Source: Arellia.Agent.Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Arellia.Agent.Service.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Arellia.Agent.Service.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: Arellia.Agent.Service.exe

Static PE information: No import functions for PE file found

Source: Arellia.Agent.Service.exe	Binary or memory string: OriginalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000000.280738347.000000000170D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000002.300700505.000000000170D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000000.282017421.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_OriginalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000000.282017421.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: originalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000000.282017421.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LegalCopyright!OriginalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000000.282017421.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000002.302004914.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_OriginalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000002.302004914.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: originalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000002.302004914.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LegalCopyright!OriginalFilename vs Arellia.Agent.Service.exe
Source: Arellia.Agent.Service.exe, 00000000.00000002.302004914.000000001DD20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs Arellia.Agent.Service.exe

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3920 -s 836

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Code function: 0_2_00007FFF7F749498

0_2_00007FFF7F749498

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

File read: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Jump to behavior

Source: Arellia.Agent.Service.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arellia.Agent.Service.exe "C:\Users\user\Desktop\Arellia.Agent.Service.exe"
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3920 -s 836

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9326B03-E51D-43A3-9394-9B8ECCDBAD9B}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3920

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC7D.tmp

Jump to behavior

Source: Arellia.Agent.Service.exe	String found in binary or memory: -install
Source: Arellia.Agent.Service.exe	String found in binary or memory: -install

Source: classification engine

Classification label: clean4.winEXE@3/5@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Arellia.Agent.Service.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Arellia.Agent.Service.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Arellia.Agent.Service.exe

Static PE information: certificate valid

Source: Arellia.Agent.Service.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Arellia.Agent.Service.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vstsagent\_work\13\s\Arellia.Agent.Service\obj\x64\Release\Arellia.Agent.Service.pdb source: Arellia.Agent.Service.exe
Source:	Binary string: mscorlib.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: Arellia.Agent.Service.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.ServiceProcess.pdb*Z source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERAC7D.tmp.dmp.4.dr
Source:	Binary string: Arellia.Agent.Service.pdbh source: WERAC7D.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Code function: 0_2_00007FFF7F722392 pushad ; iretd

0_2_00007FFF7F722393

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Memory allocated: 4700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Memory allocated: 1C700000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Queries volume information: C:\Users\user\Desktop\Arellia.Agent.Service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Arellia.Agent.Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Arellia.Agent.Service.exe	0%	Virustotal	Browse
Arellia.Agent.Service.exe	0%	Metadefender	Browse
Arellia.Agent.Service.exe	0%	ReversingLabs

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	611526
Start date and time: 19/04/202220:06:27	2022-04-19 20:06:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arellia.Agent.Service.exe
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@3/5@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.7% (good quality ratio 0.2%) Quality average: 17.2% Quality standard deviation: 29.9%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Execution Graph export aborted for target Arellia.Agent.Service.exe, PID 3920 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:08:00	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Arellia.Agent.Se_4e956c4189d90deb7e1cec012bac5df1f5f7d7_93d1d4f8_0daac351\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.860172678243506
Encrypted:	false
SSDEEP:	192:kzwBbwnvR4H1Z1Aa1m/u7sNS274ltS1J:a6snvRg1Z1Aak/u7sNX4ltS
MD5:	73D3D0B0ADA11797AC4277C18F761768
SHA1:	00C619C5359D5201F3449EFE66CE58DE78419142
SHA-256:	D56333680EA948E96C4687750D445EC07CCC9C0CD475EAFD1636CDE7894F5F24
SHA-512:	FF779F6B3CCBE133347A8AF4D35E512D6EB02184E66F84B1C60804DA3F1567254FC2F430CF37D30CA6DBCBAC8110A1A18A70D1D024433C989E05DF474EAC9E39
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.4.8.6.5.2.7.5.0.9.0.0.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.4.8.6.5.2.7.8.4.9.6.2.4.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.d.b.6.7.5.e.-.4.9.0.4.-.4.2.f.2.-.a.7.d.7.-.f.f.f.0.8.a.6.2.d.9.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.0.d.b.1.5.5.-.1.d.6.1.-.4.7.0.e.-.8.3.a.7.-.0.4.c.4.9.f.2.5.e.0.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.A.r.e.l.l.i.a...A.g.e.n.t...S.e.r.v.i.c.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.r.e.l.l.i.a...A.g.e.n.t...S.e.r.v.i.c.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.5.0.-.0.0.0.1.-.0.0.1.c.-.0.d.5.b.-.0.a.5.d.1.8.5.4.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.1.d.4.7.8.c.c.3.1.2.8.8.6.f.3.a.5.b.a.9.b.7.9.d.b.2.c.8.4.a.3.0.0.0.0.0.0.0.0.!.0.0.0.0.4.b.1.4.8.c.d.a.2.1.c.2.2.e.e.3.0.b.6.2.1.e.f.9.0.2.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC7D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 19 18:07:55 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	280285
Entropy (8bit):	2.4520385978459966
Encrypted:	false
SSDEEP:	1536:ameYlfBDJXM2e+lUPSA2cpUjazLE59mDm46jwCW7:amvHSPSABpUjULE59+6jwCW
MD5:	302914ED22D2762AD0D4C9DB84FED6CE
SHA1:	22665C135CF8B215B1A2A3D3A0E1BB817B24E483
SHA-256:	33AB05BE955BFE146A544D9232333D04868D71138567CA32EDAF24AE1B18F6A3
SHA-512:	D8538880D2721C98FE88616933FFCB2A47ECDFDBB0EE3DA1CF709ACC5360F67680D9117E078AB08692C35C7B2ADE4F003FEE2A4496D66503754BD3C90FFCCC39
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......{.^b............T...............h........*..X........J..Lm..........`.......8...........T............ ...%..........X@..........DB...................................................................U...........B.......B......Lw................N.z...T.......P...n.^b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB160.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8800
Entropy (8bit):	3.7020575779009564
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijXxb6Y49IVWgmf54aS4+pr089bq6PTfaj0Ym:RrlsNiT96YCIVWgmf54aSlq6rfaw9
MD5:	003AD04B115261F23535F76ABC4EB5B5
SHA1:	591DBBD524B2E889433953EE3858259171A8F7E7
SHA-256:	9A61E5B9452668DE5B938818ED877FD6108155A35CACDD51CFA07DD5C43EFC18
SHA-512:	4F2EC2C21E1417AF7BE01CCA72F99BD47179777D34AF96710AF165F231ACA00ACFF5E2986D600B4AC7E9FB437EAA0722EFC9843606F16EC6B1A3AC16B7DF027C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.2.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4781
Entropy (8bit):	4.496364642973283
Encrypted:	false
SSDEEP:	48:cvIwSD8zsiFtJgtBI9pdWgc8sqYjx8fm8M4JzFNFQIyq85XCETEVnYd:uITf8HPsgrsqYyJZGT4nYd
MD5:	CE38F429CA6905BB76935BD47839A47F
SHA1:	F1EE5AA7FA15BE0761AFB1C7223FA68820E8AF6D
SHA-256:	2159E6E9129DDC86B18F97A1781FBA826CDD518442CB52AC74ABBE4095F0E1AA
SHA-512:	4B17986E5674BD41826B24E87F7C39BEEFCDDF720C91805865577A41DBF6CE07AD42445B94897A87A9F4736744FB642941BF1FC09F3F8AB5591C23886FF75959
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1479078" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Arellia.Agent.Service.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	297
Entropy (8bit):	4.978271289805855
Encrypted:	false
SSDEEP:	6:WsTbZqbbUcfvfARoM0bPLIP12MUAvvAAw2JpQWoJPCNRGX/KZe:2Hfvf+R0bPLI4MNw2rQ1cA4e
MD5:	E27577B53675CEC6B9FD5B9432DB4D5A
SHA1:	CF18F4791F705453ABE301E9F36C0A6CA5D85BB8
SHA-256:	75F35F26D982EB90D567E71E2CEA1B6F26509D5A324B946BA09F6B86D912EADD
SHA-512:	FC278B58F016485EDBE21DAFD042745CF75DC1B860761402AA871133C712E87FE761D33EF789CA2562B3DB1CC5EB7FEC64213A9013580AAD8595B9D3B123E486
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Arellia.Core, Version=8.0.0.0, Culture=neutral, PublicKeyToken=3420a39adc2862cd' or one of its dependencies. The system cannot find the file specified... at Arellia.Agent.Service.Program.Main(String[] args).

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.607053510200672
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	Arellia.Agent.Service.exe
File size:	30824
MD5:	9da766e46e5e27e743ef65583bbce116
SHA1:	4b148cda21c22ee30b621ef9027a597550ef87f9
SHA256:	48483bc4987f9cf0713b785174cdd588a8c5c03f0b9214f226710716131bb4e8
SHA512:	929833c239a76451aff17e07eaa9206b22ca224d63badbf1c617efbc6dfffabe2ec714d5e4f72acea1050b07acad2d7f02b8252b113aad5920062279c7116ae3
SSDEEP:	768:Yb5gsga6OpXS8elrbDGdh/jraDGbHxFvhHQ:CieSTlrKjrZHxFNQ
TLSH:	51D22959CBD41E62EDBB4F3175F0D1076B70B7416591C2EF9A59C1448FC2B8225B822F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...pF.a.........."...0..6............... .....@..... ..............................h.....@...@......@............... .....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x610C4670 [Thu Aug 5 20:13:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	7/27/2020 2:00:00 AM 8/1/2023 2:00:00 PM
Subject Chain	CN="Thycotic Software, LLC", O="Thycotic Software, LLC", L=Washington, S=District of Columbia, C=US
Version:	3
Thumbprint MD5:	6D1B086F31CC8042F8B59F550A123F07
Thumbprint SHA-1:	7777B584ED00002B20B9A7D05B7E7F3D2E3FD065
Thumbprint SHA-256:	1347B3F65707FA8DCFCEC90BAEEC182CAB27BC95BF49F7C9E95C51408989A6C2
Serial:	0AD0F9BBF60909491318743F95DF6C67

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x688	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4000	0x3868
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x53e4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x351c	0x3600	False	0.50658275463	data	5.65728550573	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x688	0x800	False	0.35791015625	data	3.67466460766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x6090	0x3f8	data
RT_MANIFEST	0x6498	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012- Thycotic Software, LLC
Assembly Version	8.0.0.0
InternalName	Arellia.Agent.Service.exe
FileVersion	11.2.1002.63377
CompanyName	Thycotic Software, LLC
LegalTrademarks
Comments
ProductName	Thycotic Agent
ProductVersion	11.2.1002+g91f706ee99
FileDescription	Arellia.Agent.Service
OriginalFilename	Arellia.Agent.Service.exe

• Arellia.Agent.Service.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Arellia.Agent.Service.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	20:07:42
Start date:	19/04/2022
Path:	C:\Users\user\Desktop\Arellia.Agent.Service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Arellia.Agent.Service.exe"
Imagebase:	0xf70000
File size:	30824 bytes
MD5 hash:	9DA766E46E5E27E743EF65583BBCE116
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	20:07:43
Start date:	19/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	20:07:54
Start date:	19/04/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3920 -s 836
Imagebase:	0x7ff770e00000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Function 00007FFF7F8E1F3F Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e7f9acfe9210ad53c0278ce90f64cf27aa6099f1eb570d4383884b50fa89d7
Instruction ID: 23932ba2e29c65d1309438119d5a59fb70861783d16c4cd0270cfe5df7a6e1bf
Opcode Fuzzy Hash: c3e7f9acfe9210ad53c0278ce90f64cf27aa6099f1eb570d4383884b50fa89d7
Instruction Fuzzy Hash: 42A16F3191868E8FDB45EF14C845AEAB7E0FF58311F00067AE81AC32D5DB74A955CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F8E2291 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0040fc98f6fcdecc9c06038d601808375881e4dc139eeabeb9f3ac913edf2ee0
Instruction ID: 87f8327bb959f2b5cc72bfc296664350d502f6f7541757d27a16afff0b7342d3
Opcode Fuzzy Hash: 0040fc98f6fcdecc9c06038d601808375881e4dc139eeabeb9f3ac913edf2ee0
Instruction Fuzzy Hash: D581FB35A28A4D8FDB95EF18C445BE977E1FF68310F404165F84DC7291DA34E985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F749420 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a3b636ae3feb6370e8aefe198094af1b4b0b48ad8597b01e504c4d05002ad3
Instruction ID: 29aab0b87d49b6ecb187243f9bca36c7140e4e05e86cfe09665a61a576475f73
Opcode Fuzzy Hash: a7a3b636ae3feb6370e8aefe198094af1b4b0b48ad8597b01e504c4d05002ad3
Instruction Fuzzy Hash: AF51A175A2864D8FDB58EF28D845BF977E0FF54311F10423AE849C72A2DE34A54ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F7494C0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681413573e2d4aaaeeed29a2e6b923e12a9dadd0f2c7dce91fc4ac7052b5c9f9
Instruction ID: 4e47a4c863c84721918bf90f256992947a1fa9ebfe1478c270568628585e5038
Opcode Fuzzy Hash: 681413573e2d4aaaeeed29a2e6b923e12a9dadd0f2c7dce91fc4ac7052b5c9f9
Instruction Fuzzy Hash: 83513A759286498FEB68DF28D845BFA77E0FF54311F10413AF84AC6291DF34A9858BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F749508 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04bfc995a29a20abd1ba53efc303c2ac89ef2698a38abf2ca0303cf20b0e678
Instruction ID: 6fbf8506a0b9093f8c08b940552ea534c60edf09e2158ccfba7bc06f659a9e3f
Opcode Fuzzy Hash: c04bfc995a29a20abd1ba53efc303c2ac89ef2698a38abf2ca0303cf20b0e678
Instruction Fuzzy Hash: E051D675914A5E8FDF44EFA8C449AEEBBF1FB68315F10053AE409E3294DB74A491CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F7494D8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ed407cabeba095aa3f87a053876394ab02d9f85a86d6f7bdaa0dc90d0892d4
Instruction ID: 5363fc3e137f72c05850ea792cb6cd9dac66789ea54497dacf4b3911e6c1f85f
Opcode Fuzzy Hash: a3ed407cabeba095aa3f87a053876394ab02d9f85a86d6f7bdaa0dc90d0892d4
Instruction Fuzzy Hash: 31412935928A4D8FEB68EF28C855BE977E0FF54311F10413AF84AC72A1DE34A9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F722F55 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bd629127b046871427a25e03059181f34f48acdd1ebd113f6b82f9f8271753
Instruction ID: 356826da7dabe89b3763295fff454c0eaf58dcbccfe66ad86d36f8cb7f503959
Opcode Fuzzy Hash: 08bd629127b046871427a25e03059181f34f48acdd1ebd113f6b82f9f8271753
Instruction Fuzzy Hash: 4941AC329186499BDF01EF68D8456EE7BF0FF59361F00013BE849D22A2DB34A995CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F728E20 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5268e56c84ed3c41380720165fddae0c5a6a5ab2b7734a1b01a86895017ffa1
Instruction ID: 542eea9370989be86770f46e0edb27c898a13784ee3c34b9fd3b97fd566b2302
Opcode Fuzzy Hash: f5268e56c84ed3c41380720165fddae0c5a6a5ab2b7734a1b01a86895017ffa1
Instruction Fuzzy Hash: 61411830818A4E8FDF84EF68D445AEEBBF1FF68311F10052AE409E7290CB34A595CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F8E24DA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0db2c6b7f969956e1c48876b41dcd469327740ed01bb8eb58df9a5d25439a0
Instruction ID: bfb85f0559d1982ffb1cfa4cac6d1b967bc9a7bc979488b5cd4d4e77da543eac
Opcode Fuzzy Hash: ff0db2c6b7f969956e1c48876b41dcd469327740ed01bb8eb58df9a5d25439a0
Instruction Fuzzy Hash: 92318F3191864E8FCB84DF18C8556EA7BE1FF68311F00067AE81AD3290CB34A9218BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F72458F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c389113577c917116da1cae65a940426bdad608bb6b8b44027c0ff62c678775
Instruction ID: 3f1ec238937d788a986ba272bc610fe3cf95f9fc9a361b2e3d0a491a450b12ae
Opcode Fuzzy Hash: 5c389113577c917116da1cae65a940426bdad608bb6b8b44027c0ff62c678775
Instruction Fuzzy Hash: 4D312D31908A5E8BDB45EF28A8456FE7BE0FF55320F10463BE41AC21A2DB359596CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F8E059D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ab050e6fb3137f14d11408544c94a3dae64b36574f6babb851d4f9e44f5873
Instruction ID: 0d6651bbae72f0f86c35c342a64bf6a607c3d784efc9612ca52514a3a5a13152
Opcode Fuzzy Hash: f2ab050e6fb3137f14d11408544c94a3dae64b36574f6babb851d4f9e44f5873
Instruction Fuzzy Hash: 5E215E31528A4E8FDB94DF14D844BEAB7E1FF98320F0046A6E41AC7295CB74E915CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F8E0D25 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904dbdd4d4c053c64a196c6806564f7d9a658477881691cbe19906eb0851e9fd
Instruction ID: 03596b8fbefc0dafb69289c6d22922d75bc091a258a1180b0b0ae991ff7140d5
Opcode Fuzzy Hash: 904dbdd4d4c053c64a196c6806564f7d9a658477881691cbe19906eb0851e9fd
Instruction Fuzzy Hash: 19210C71918A4D8FCF84EF18C8556EE7BE1FB68311F01066AE45AE3290DB74A514CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F72AAF0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3223df5b0632054b78506990fe0ad294169a3ef07cec8321bb38d2f709cdfc
Instruction ID: 909a23c67cf216b0761b0d3130fcc4abca3143f2c85fa755e4ee8935118e0911
Opcode Fuzzy Hash: 1f3223df5b0632054b78506990fe0ad294169a3ef07cec8321bb38d2f709cdfc
Instruction Fuzzy Hash: B731033581864E8FEB94DF14C4456FEB7F1FF14321F50052AE41AD3291CB38AAA1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F7279A0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91031096eb66fd3b73d7444cbe07f0263a5dde4e00eaea40491d7bd096c49450
Instruction ID: 442509eca1af143e335609406d67a67995ca03cf8b0cb03c6562b727432ffe0d
Opcode Fuzzy Hash: 91031096eb66fd3b73d7444cbe07f0263a5dde4e00eaea40491d7bd096c49450
Instruction Fuzzy Hash: AB111B35818A8E8FDB45EF18D8495EA77E1FB68315F00062BF85AD3290DB34E561CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F72423D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3786aa1c46a0a20d6ddb3205490472eeb9dc34fb52f7632cff9acf499e5e6f56
Instruction ID: b5aa58a55d7394a20e59186379d27aa253f08696577baa358981f6276603c432
Opcode Fuzzy Hash: 3786aa1c46a0a20d6ddb3205490472eeb9dc34fb52f7632cff9acf499e5e6f56
Instruction Fuzzy Hash: 91112D35828A5E8FDB85EF64C8486FE77F1FB19311F00056AE419C3191DB74A554CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F8E2618 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306212751.00007FFF7F8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f8e0000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415b9a44ddec5d05707c214b33f9752be246d3f3daae3f6a5a0400b5a2a2f5ab
Instruction ID: 8dbee8d8212e0cd1e768e919035bf941d2fef1308266a1ccfc5aa774ec5c2a43
Opcode Fuzzy Hash: 415b9a44ddec5d05707c214b33f9752be246d3f3daae3f6a5a0400b5a2a2f5ab
Instruction Fuzzy Hash: 5601D635A1490ECFCF44EF58D8859EEB7F0FF58311B000266E51AE3254DB34A922CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F7254B8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305181654.00007FFF7F720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fff7f720000_Arellia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4613b268621da70fae9ca4bd803ec7d31b7ebe690dcebf9a22d672248641cc
Instruction ID: 4f39d0cdc9b00ab98de099cdd191f03d938e79a3a2ed291146c97d20fe171005
Opcode Fuzzy Hash: 4c4613b268621da70fae9ca4bd803ec7d31b7ebe690dcebf9a22d672248641cc
Instruction Fuzzy Hash: A1012C35824A4E9FDB45EF24D8485EE77A1FF14311F00463AE41AC21E4DF34A565CB80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arellia.Agent.Service.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Arellia.Agent.Se_4e956c4189d90deb7e1cec012bac5df1f5f7d7_93d1d4f8_0daac351\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC7D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB160.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EB.tmp.xml

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Arellia.Agent.Service.exePID: 3920, Parent PID: 4980

General

File Activities

Windows Analysis Report
Arellia.Agent.Service.exe