Create Interactive Tour

Windows Analysis Report
NodeDisplay.Container.exe

Overview

General Information

Sample Name:	NodeDisplay.Container.exe
Analysis ID:	656320
MD5:	74744fc068f935608dff34ecd0eb1f96
SHA1:	5e629dd17a206424302b9794f981d3e1b3b25695
SHA256:	8a9d3071e53165637980d076f325c66630a2189b8adcff78cabe17b41d7d87b3
Infos:

Detection

Clipboard Hijacker

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Machine Learning detection for dropped file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

PE file contains section with special chars

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64native

NodeDisplay.Container.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\NodeDisplay.Container.exe" MD5: 74744FC068F935608DFF34ECD0EB1F96)

schtasks.exe (PID: 7340 cmdline: /C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe" MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)

conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

schtasks.exe (PID: 4312 cmdline: /C /Query /XML /TN "NodeJSEnvironmentUpdateTask" MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

schtasks.exe (PID: 1356 cmdline: /C /create /F /tn "NodeJSEnvironmentUpdateTask" /XML "C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml" MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 4004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 476 MD5: 40A149513D721F096DDF50C04DA2F01F)

NodeDisplay.Container.exe (PID: 5596 cmdline: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe MD5: 74744FC068F935608DFF34ECD0EB1F96)

cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{
  "Crypto Addresses": [
    "32h53ccRQW6Vyw4rqR22xmip34WcC6pnFL",
    "19iQuuqoVQPAtRhzm4GvNuM3bj4Nm29ByX",
    "MTVvkKYrzipuB5ga8XNLpY7qx6FpBR74rr",
    "0xF22ffD5be6efc35390dfD044B7156CC56C5d41f8",
    "D7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ",
    "Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg",
    "hC5zF4xW4pD6iF6a.xml",
    "t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX",
    "NodeDisplay.Container.exe",
    "bc1qnd4p4vh6zvq68s7m70dvuzejfq2rfmqdlzmmse",
    "addr1qxfaxxg87zn7y08wj784235sjussh5d0tvnf553nfqf3c2yn6vvs0u98ug7wa9u024rfp9epp0g67kexnffrxjqnrs5qlq308g",
    "NodeJSEnvironmentUpdateTask",
    "ronin:f99068a66aE783dCe4f7a811b09fe1CF071E4414",
    "XLZZIN45UKRRZIYERPIP3NLHZLRJB5MPBBK5NVDSCKCM6TY3CP4MJJYOWE",
    "433JgHYcvGfb5zCFFbfH3zW3HB6nz5ah1J6zSW8p2Ac6AvXCHzWacQdZD2snEnijjZVbhUxsMxVxwPHwopCGXFHWGDo59vU",
    "cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy",
    "832XKsTJiDCUSNjtnjcWVvXNwYKgzCoXPTejxnMhKHhNhb55RMyBgBMJpqS9RX7ywoKoV5pmTRdvvCMb3XsY4o9KHy5GLGE",
    "ltc1qf78tyv7ygtvnhlyak026956uhfh6wrpjgnuvsp",
    "bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk",
    "TM2FqmawKhRe82BJJfY1WaEwRx48JLrTG2",
    "LUYBs28KD92zYYjG28gWq9GFvvsWE6KoeN",
    "rHDfnp9vP5aV81QqehsZZAEeKrgZUs3KyH",
    "AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy",
    "Ae2tdPwUPEZ4SGK88ZzwuAzcUsos6SBQA1rDpbMNZhJo2TezusztfvxkfU7",
    "RUG3uyX1vvgV3uadKnBPbgatH391U5E3E7",
    "AGVDbNVutgwiep6615bjTJnQkScwWuUEMuU95NredRG5"
  ]
}

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author
1.0.NodeDisplay.Container.exe.4f0000.2.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
1.0.NodeDisplay.Container.exe.4f0000.1.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
1.0.NodeDisplay.Container.exe.4f0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
1.2.NodeDisplay.Container.exe.4f0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
6.2.NodeDisplay.Container.exe.4e0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: NodeDisplay.Container.exe	Virustotal: Detection: 77%	Perma Link
Source: NodeDisplay.Container.exe	Metadefender: Detection: 28%	Perma Link
Source: NodeDisplay.Container.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	ReversingLabs: Detection: 92%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NodeDisplay.Container.exe

Joe Sandbox ML: detected

Source: 1.2.NodeDisplay.Container.exe.4f0000.0.unpack

Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["32h53ccRQW6Vyw4rqR22xmip34WcC6pnFL", "19iQuuqoVQPAtRhzm4GvNuM3bj4Nm29ByX", "MTVvkKYrzipuB5ga8XNLpY7qx6FpBR74rr", "0xF22ffD5be6efc35390dfD044B7156CC56C5d41f8", "D7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ", "Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg", "hC5zF4xW4pD6iF6a.xml", "t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX", "NodeDisplay.Container.exe", "bc1qnd4p4vh6zvq68s7m70dvuzejfq2rfmqdlzmmse", "addr1qxfaxxg87zn7y08wj784235sjussh5d0tvnf553nfqf3c2yn6vvs0u98ug7wa9u024rfp9epp0g67kexnffrxjqnrs5qlq308g", "NodeJSEnvironmentUpdateTask", "ronin:f99068a66aE783dCe4f7a811b09fe1CF071E4414", "XLZZIN45UKRRZIYERPIP3NLHZLRJB5MPBBK5NVDSCKCM6TY3CP4MJJYOWE", "433JgHYcvGfb5zCFFbfH3zW3HB6nz5ah1J6zSW8p2Ac6AvXCHzWacQdZD2snEnijjZVbhUxsMxVxwPHwopCGXFHWGDo59vU", "cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy", "832XKsTJiDCUSNjtnjcWVvXNwYKgzCoXPTejxnMhKHhNhb55RMyBgBMJpqS9RX7ywoKoV5pmTRdvvCMb3XsY4o9KHy5GLGE", "ltc1qf78tyv7ygtvnhlyak026956uhfh6wrpjgnuvsp", "bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk", "TM2FqmawKhRe82BJJfY1WaEwRx48JLrTG2", "LUYBs28KD92zYYjG28gWq9GFvvsWE6KoeN", "rHDfnp9vP5aV81QqehsZZAEeKrgZUs3KyH", "AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy", "Ae2tdPwUPEZ4SGK88ZzwuAzcUsos6SBQA1rDpbMNZhJo2TezusztfvxkfU7", "RUG3uyX1vvgV3uadKnBPbgatH391U5E3E7", "AGVDbNVutgwiep6615bjTJnQkScwWuUEMuU95NredRG5"]}

Source: NodeDisplay.Container.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NodeDisplay.Container.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Amcache.hve.12.dr

String found in binary or memory: http://upx.sf.net

System Summary

PE file contains section with special chars

Source: NodeDisplay.Container.exe	Static PE information: section name: .>J2
Source: NodeDisplay.Container.exe	Static PE information: section name: .4U}
Source: NodeDisplay.Container.exe.1.dr	Static PE information: section name: .>J2
Source: NodeDisplay.Container.exe.1.dr	Static PE information: section name: .4U}

Source: NodeDisplay.Container.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NodeDisplay.Container.exe, 00000001.00000000.33518025857.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs NodeDisplay.Container.exe
Source: NodeDisplay.Container.exe, 00000001.00000003.33477634815.000000000327A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs NodeDisplay.Container.exe
Source: NodeDisplay.Container.exe, 00000006.00000000.33499363958.0000000000F7B000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs NodeDisplay.Container.exe
Source: NodeDisplay.Container.exe	Binary or memory string: OriginalFilenamenode.exe* vs NodeDisplay.Container.exe
Source: NodeDisplay.Container.exe.1.dr	Binary or memory string: OriginalFilenamenode.exe* vs NodeDisplay.Container.exe

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 476

Source: NodeDisplay.Container.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NodeDisplay.Container.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe 8A9D3071E53165637980D076F325C66630A2189B8ADCFF78CABE17B41D7D87B3

Source: NodeDisplay.Container.exe	Virustotal: Detection: 77%
Source: NodeDisplay.Container.exe	Metadefender: Detection: 28%
Source: NodeDisplay.Container.exe	ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

File read: C:\Users\user\Desktop\NodeDisplay.Container.exe

Jump to behavior

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NodeDisplay.Container.exe "C:\Users\user\Desktop\NodeDisplay.Container.exe"
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "NodeJSEnvironmentUpdateTask"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "NodeJSEnvironmentUpdateTask" /XML "C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 476
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "NodeJSEnvironmentUpdateTask"	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "NodeJSEnvironmentUpdateTask" /XML "C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml"	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7408
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:304:WilStaging_02
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d723aaef-a8aa-4c18-b9f6-e306074f79d9

Jump to behavior

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@12/8@0/0

Source: NodeDisplay.Container.exe

Static file information: File size 7276032 > 1048576

Source: NodeDisplay.Container.exe

Static PE information: Raw size of .dHc is bigger than: 0x100000 < 0x6cce00

Source: NodeDisplay.Container.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: NodeDisplay.Container.exe	Static PE information: section name: .>J2
Source: NodeDisplay.Container.exe	Static PE information: section name: .4U}
Source: NodeDisplay.Container.exe	Static PE information: section name: .dHc
Source: NodeDisplay.Container.exe.1.dr	Static PE information: section name: .>J2
Source: NodeDisplay.Container.exe.1.dr	Static PE information: section name: .4U}
Source: NodeDisplay.Container.exe.1.dr	Static PE information: section name: .dHc

Source: initial sample

Static PE information: section where entry point is pointing to: .dHc

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Memory written: PID: 7408 base: 14F0005 value: E9 AB 2E 6B 76	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Memory written: PID: 7408 base: 77BA2EB0 value: E9 5A D1 94 89	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Memory written: PID: 7408 base: 3220007 value: E9 6B DC 9B 74	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Memory written: PID: 7408 base: 77BDDC70 value: E9 9E 23 64 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Memory written: PID: 5596 base: 1510005 value: E9 AB 2E 69 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Memory written: PID: 5596 base: 77BA2EB0 value: E9 5A D1 96 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Memory written: PID: 5596 base: 1520007 value: E9 6B DC 6B 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Memory written: PID: 5596 base: 77BDDC70 value: E9 9E 23 94 89	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NodeDisplay.Container.exe, 00000001.00000002.33573674922.000000000150D000.00000004.00000020.00020000.00000000.sdmp, NodeDisplay.Container.exe, 00000001.00000000.33518756909.000000000150D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NodeDisplay.Container.exe, 00000006.00000002.33523123221.000000000165D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

System information queried: ModuleInformation

Jump to behavior

Source: Amcache.hve.12.dr

Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NodeDisplay.Container.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\NodeDisplay.Container.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "NodeJSEnvironmentUpdateTask"

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 1.0.NodeDisplay.Container.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.NodeDisplay.Container.exe.4f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.NodeDisplay.Container.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.NodeDisplay.Container.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NodeDisplay.Container.exe.4e0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 Credential API Hooking	431 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	22 Virtualization/Sandbox Evasion	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NodeDisplay.Container.exe	78%	Virustotal		Browse
NodeDisplay.Container.exe	29%	Metadefender		Browse
NodeDisplay.Container.exe	92%	ReversingLabs	Win32.Trojan.Tasker
NodeDisplay.Container.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	78%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	92%	ReversingLabs	Win32.Trojan.Tasker

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.NodeDisplay.Container.exe.4f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.NodeDisplay.Container.exe.4f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.NodeDisplay.Container.exe.4e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.NodeDisplay.Container.exe.4f0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.NodeDisplay.Container.exe.4e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.NodeDisplay.Container.exe.4f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	656320
Start date and time: 04/07/202205:04:01	2022-07-04 05:04:01 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NodeDisplay.Container.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@12/8@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, wdcpalt.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
05:05:57	Task Scheduler	Run new task: NodeJSEnvironmentUpdateTask path: C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe
05:06:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe	Z6W8VS5KJX.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NodeDisplay.Cont_8a9167268f44c04a1540ee50522a92e81813aeb1_3532b840_abf97f24-b63b-4533-8fce-566397bd663e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.797146872166699
Encrypted:	false
SSDEEP:	96:O3PsUyOSiASs8vtk1exfAvXIxcQPc6pcE6cw3UVwR+HbHg/rZHLnxZOycEmzyPn2:EPPyPS2mBtQejPeDu760fAIO8P
MD5:	C93A5A7B156A80E9E96BA821D1C7BAD0
SHA1:	DE86FB01F8FEA91422AB8577AFA8B69F585B3CD3
SHA-256:	1B4972B15AF70A21B98261C99CCCAE9C657FB1149E277DDC2639816930D18A3D
SHA-512:	D4A3EA1ACDD4A676A38D2E445F426DCB52368D81C944687C98701E6691FB7D8403F2810104A7E23FE3BBC8948BAD451255B7688A862C0BA6D5FAF7B1145BFEF2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.3.8.1.1.6.1.8.9.6.6.8.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.3.8.1.1.6.2.8.0.2.7.1.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.f.9.7.f.2.4.-.b.6.3.b.-.4.5.3.3.-.8.f.c.e.-.5.6.6.3.9.7.b.d.6.6.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.c.7.9.6.8.6.-.d.7.3.8.-.4.f.6.7.-.a.0.5.8.-.f.a.7.7.a.b.9.5.6.3.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.o.d.e.D.i.s.p.l.a.y...C.o.n.t.a.i.n.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.n.o.d.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.0.-.0.0.0.1.-.0.0.1.5.-.0.7.2.b.-.0.c.5.b.5.b.8.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.b.9.1.8.9.d.8.1.5.3.8.1.0.7.f.6.e.d.2.4.8.d.b.3.1.a.c.c.3.6.4.0.0.0.0.0.9.0.4.!.0.0.0.0.5.e.6.2.9.d.d.1.7.a.2.0.6.4.2.4.3.0.2.b.9.7.9.4.f.9.8.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9298.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jul 4 04:06:02 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	2.6064670297733215
Encrypted:	false
SSDEEP:	96:57Q8QS6Eb/dyzBKL3ugVTgGKKi7HmCEbVLj5XWudJm2++XCpTWFWI9bI84I88u3s:NTRdjL+4OreLjzUP+X0Iu3Mwr19
MD5:	EABB0CE5832AA93B34A4EC3025502C2C
SHA1:	ADF08053992D8E26DE74204A65624FC079D0204D
SHA-256:	09B02E1004DC620318C4861B6844673D94B252F0A813C018464C23A076393740
SHA-512:	D28F5F4BCBB0AB845C8DBA69E4DB5B7C9FA5106679E5B353CA048C0A276C2FC6D127117B3D49BC4DACE6FF805C4F78C861E6424F2C0B47C818F8FB1E60DED549
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......*g.b............4...............<.......t...............T.......8...........T...........p...nS......................................................................................................bJ......P.......GenuineIntel...........T...........!g.b.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93D2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.694553023362478
Encrypted:	false
SSDEEP:	192:R9l7lZNiBn6R6YdQrSULgmfXzEw4prk89b7Dsf03pm:R9lnNih6R6YerSULgmfXzER7ofd
MD5:	48BECA8EBE7032D36E96C7090EA44017
SHA1:	B84B9A811BC50CA340FAB8EA05E9D90FCC18C534
SHA-256:	5B8106E39C917716F6030BA40F17F63323358AAA01CE141C7F227D7FA8BB66C1
SHA-512:	DB2957CDB7C2445DEA04D290BB80849CF0BFC9D1B041E058DA207942713341BAC05E8EF8B9FA9D605E456FDC8E1A1026114E2018413B2D44DA6DD4961FB055FB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9430.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4857
Entropy (8bit):	4.504987404510825
Encrypted:	false
SSDEEP:	48:cvIwwtl8zs7e702I7VFJ5WS2CfjkTs3rm8M4J76GBcuFlEFvP+q8dKuSOl+BE23I:uILfy7GySPfLJMuFlOduPl+BEUN0td
MD5:	5083EF9A6101B2E033E34320C87C031C
SHA1:	7BACF05BC7E2893629A31AE1920CFD167BB0F933
SHA-256:	DBF1C1DF3356572C617BAD3DE284818C2393F7DAEAACCA7CD71E7A556AA5DEA5
SHA-512:	F5A6DCD1D83B3689DA9B78B94E58BF92881FD1F2C589C73204B6C6002A24F9B6C29A990646A25416FAB6EF9115D136208FAA40527D1E503D139BDBB0312D1B4B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221686968" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe

Download File

Process:	C:\Users\user\Desktop\NodeDisplay.Container.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7276032
Entropy (8bit):	7.957813314312425
Encrypted:	false
SSDEEP:	196608:VdOmLBBXPbbwnyP0kRINUXFQnHhyMN8S:VPV5bbcyck5QnBy
MD5:	74744FC068F935608DFF34ECD0EB1F96
SHA1:	5E629DD17A206424302B9794F981D3E1B3B25695
SHA-256:	8A9D3071E53165637980D076F325C66630A2189B8ADCFF78CABE17B41D7D87B3
SHA-512:	C750062B6E9FE2C0FBA5391B38553EDD7CFAC145A6ED2CD0A4EC7CD195B64F3FA1049154247D35494515781031BA7AC64BBAC4526EEDFE2CD7EF73AF16D09B42
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 78%, Browse Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Z6W8VS5KJX.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................B...............0....@.................................qo...@..........................2..O...T...x........(............................................................................<.@............................text............................... ..`.rdata.......0......................@..@.data...d....P......................@....>J2.....o<..`...................... ..`.4U}..........<.....................@....dHc....p.l...<...l................. ..`.reloc................l.............@..@.rsrc....(.......*....l.............@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\NodeDisplay.Container.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml

Download File

Process:	C:\Users\user\Desktop\NodeDisplay.Container.exe
File Type:	XML 1.0 document, ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	1330
Entropy (8bit):	5.21213966156796
Encrypted:	false
SSDEEP:	24:2dcd4+Sc9q944XPKtMhEMO5pwHYeGaDt0fORYv0qv9UuaWln:cmt9q9VK6dOQHuaD3uaE
MD5:	6341E1999ABABC6CF81D2AE8F1C3E096
SHA1:	667998B3CFE4B5C9C37E67E376C613EDEB800414
SHA-256:	7D5C4E30D2DCD6414003DB1821BF24353B78F0EB00FF5A606C7BB971457F9573
SHA-512:	0DDE0AF6630487D56A34782DB8DFD564C93713105F4B8EFF429E48B135DEEA2B202E31267F362C6A105257F9B2ABB73565ABF3BB3B2A93CBA96E5ABF66768F80
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>...<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">... <RegistrationInfo>... <Date>2022-07-04T05:05:56</Date>... <Author>computer\user</Author>... <URI>\NodeJSEnvironmentUpdateTask</URI>... </RegistrationInfo>... <Principals>... <Principal id="Author">... <UserId>S-1-5-21-3425316567-2969588382-3778222414-1001</UserId>... <LogonType>InteractiveToken</LogonType>... </Principal>... </Principals>... <Settings>... <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>... <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>... <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>... <IdleSettings>... <Duration>PT10M</Duration>... <WaitTimeout>PT1H</WaitTimeout>... <StopOnIdleEnd>false</StopOnIdleEnd>... <RestartOnIdle>false</RestartOnIdle>... </IdleSettings>... </Settings>... <Triggers>... <TimeTrigger>... <StartBoundary>2022-0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	4.510814273738912
Encrypted:	false
SSDEEP:	12288:lyMMY6/amIa6rBC4iTd+vXlnDhSEt+d5X+rEhFRNcylKOZdyKhUag6VSzX:lDa6rBC4iTd+vXlnD0vlyKhUag6VSzX
MD5:	7B43E57781380C8269104780373E2D4F
SHA1:	08406983386FD828F6E00D27CB835B0902076D01
SHA-256:	208D32573B6FA9D417522CE9452094071488AEE1D2C06A3DB03DEBFD9D1C10E6
SHA-512:	003D3362D6BCB2A9B159D8296C2757C5175EAA2A03610874E78CFC7ED57F37089CF1959723099CA519E7B9DE25FF29DD7EC8EFE2F4CBB53007D60145A431F643
Malicious:	false
Preview:	regf........5.#.^................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.._[...............................................................................................................................................................................................................................................................................................................................................m.H.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.957813314312425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NodeDisplay.Container.exe
File size:	7276032
MD5:	74744fc068f935608dff34ecd0eb1f96
SHA1:	5e629dd17a206424302b9794f981d3e1b3b25695
SHA256:	8a9d3071e53165637980d076f325c66630a2189b8adcff78cabe17b41d7d87b3
SHA512:	c750062b6e9fe2c0fba5391b38553edd7cfac145a6ed2cd0a4ec7cd195b64f3fa1049154247d35494515781031ba7ac64bbac4526eedfe2cd7ef73af16d09b42
SSDEEP:	196608:VdOmLBBXPbbwnyP0kRINUXFQnHhyMN8S:VPV5bbcyck5QnBy
TLSH:	8C76237317510154E4E7D83CA013BDE673F613238E8398B994E2FAD5BA369E0EA56C43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................B...............0....@..................................qo...@..........................2..O..

File Icon


Icon Hash:	70fcbaf8f8f2f030

Static PE Info

General

Entrypoint:	0xdb2ed2
Entrypoint Section:	.dHc
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62ACAB14 [Fri Jun 17 16:25:56 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d812527b5988192695ea156eae610de1

Entrypoint Preview

Instruction
push ecx
pushfd
mov ecx, 5053650Fh
xor cx, cx
push esi
push ecx
jbe 00007FDAD072A30Ch
dec edx
xor edx, 75E90A87h
jmp 00007FDAD0C9F840h
not ecx
inc ecx
jmp 00007FDAD06FD1AAh
dec eax
mov edi, dword ptr [edi]
dec ecx
sub esp, 00000004h
inc cx
bts edi, ecx
inc ecx
inc bh
inc ebp
mov edi, dword ptr [esp]
inc ebp
xor edi, eax
jmp 00007FDAD0C9D340h
jne 00007FDAD0B85B37h
pop esi
btr cx, 0019h
movzx ecx, cx
not eax
mov ecx, edx
xchg ecx, ecx
mov dword ptr [edi], eax
btc cx, 0048h
shrd ecx, edx, 0000009Ah
test bx, 464Fh
mov ecx, dword ptr [ebp+00h]
test edx, esi
cmp cl, dh
test bh, 00000061h
add ebp, 00000004h
xor ecx, ebx
cmp edi, eax
test ebp, 75144721h
stc
bswap ecx
neg ecx
jmp 00007FDAD0C224A2h
push esi
mov ecx, dword ptr [esp+14h]
mov dword ptr [esp+14h], AFFE2CFBh
mov esi, dword ptr [esp+04h]
jl 00007FDAD0AED5A6h
jng 00007FDAD0C2E61Bh
mov byte ptr [esp+08h], FFFFFFBFh
add dword ptr [esp+0Ch], esi
call 00007FDAD0B857ADh
or eax, 7FE171F3h
sub ebx, FFFFFFD7h
xchg eax, ebp
jmp far 0067h : 1E8E836Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9a32c4	0xc4f	.dHc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8eab54	0x78	.dHc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa9c000	0x228b5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa9b000	0x5d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3cd000	0x40	.4U}
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b1f	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1108	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x64	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.>J2	0x6000	0x3c6f1c	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.4U}	0x3cd000	0x398	0x400	False	0.0625	data	0.36214201566229515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dHc	0x3ce000	0x6ccd70	0x6cce00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xa9b000	0x5d0	0x600	False	0.5299479166666666	GLS_BINARY_LSB_FIRST	4.3086189026501405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa9c000	0x228b5	0x22a00	False	0.43735898014440433	data	6.15996091069098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa9c220	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xa9c688	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xa9d730	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xa9fcd8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xaa3f00	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xab4728	0x9cca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0xabe3f4	0x5a	data	English	United States
RT_VERSION	0xabe450	0x2e8	data	English	United States
RT_MANIFEST	0xabe738	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	LoadLibraryW
SHELL32.dll	SHGetFolderPathW
KERNEL32.dll	GetSystemTimeAsFileTime
USER32.dll	CharUpperBuffW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• NodeDisplay.Container.exe
• schtasks.exe
• conhost.exe
• schtasks.exe
• conhost.exe
• NodeDisplay.Container.exe
• schtasks.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• NodeDisplay.Container.exe
• schtasks.exe
• conhost.exe
• schtasks.exe
• conhost.exe
• NodeDisplay.Container.exe
• schtasks.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Target ID:	1
Start time:	05:05:54
Start date:	04/07/2022
Path:	C:\Users\user\Desktop\NodeDisplay.Container.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NodeDisplay.Container.exe"
Imagebase:	0x4f0000
File size:	7276032 bytes
MD5 hash:	74744FC068F935608DFF34ECD0EB1F96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	05:05:56
Start date:	04/07/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe"
Imagebase:	0x410000
File size:	187904 bytes
MD5 hash:	478BEAEC1C3A9417272BC8964ADD1CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	3
Start time:	05:05:56
Start date:	04/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b5f20000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	05:05:56
Start date:	04/07/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /Query /XML /TN "NodeJSEnvironmentUpdateTask"
Imagebase:	0x410000
File size:	187904 bytes
MD5 hash:	478BEAEC1C3A9417272BC8964ADD1CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	5
Start time:	05:05:56
Start date:	04/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b5f20000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	05:05:57
Start date:	04/07/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe
Imagebase:	0x4e0000
File size:	7276032 bytes
MD5 hash:	74744FC068F935608DFF34ECD0EB1F96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 78%, Virustotal, Browse Detection: 29%, Metadefender, Browse Detection: 92%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	05:05:57
Start date:	04/07/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /tn "NodeJSEnvironmentUpdateTask" /XML "C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml"
Imagebase:	0x410000
File size:	187904 bytes
MD5 hash:	478BEAEC1C3A9417272BC8964ADD1CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	8
Start time:	05:05:57
Start date:	04/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b5f20000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	05:06:01
Start date:	04/07/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 476
Imagebase:	0xaf0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NodeDisplay.Container.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Clipboard Hijacker

Yara Signatures

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NodeDisplay.Cont_8a9167268f44c04a1540ee50522a92e81813aeb1_3532b840_abf97f24-b63b-4533-8fce-566397bd663e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9298.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93D2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9430.tmp.xml

C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe

C:\Users\user\AppData\Roaming\Microsoft\AddIns\NodeDisplay.Container.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
NodeDisplay.Container.exe