Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1499933
MD5:	33b62d366ac20de98dedfaf74b4afefc
SHA1:	a43dbbcf422f038f2601c21112af93eb8f4514e0
SHA256:	b61490f4f0edf574703224d38c5c00b867b6191bbf09b10bf1a81b7cd8a1e9b6
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 33B62D366AC20DE98DEDFAF74B4AFEFC)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2
00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.140000000.0.raw.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2
0.0.file.exe.140000000.0.raw.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2
0.0.file.exe.140000000.0.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2
0.2.file.exe.140000000.0.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x3b8:$s2: .enigma1 0x3e0:$s3: .enigma2

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push rbp		0_2_000000014001E0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea rcx, qword ptr [0000000140021051h]		0_2_0000000140011F60

Source: file.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe	String found in binary or memory: https://www.entrust.net/rpa0

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000140012926	0_2_0000000140012926
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001400060F8	0_2_00000001400060F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000140012155	0_2_0000000140012155
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014001E3AF	0_2_000000014001E3AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001400093C0	0_2_00000001400093C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001400044D8	0_2_00000001400044D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000140005797	0_2_0000000140005797
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000140014EB0	0_2_0000000140014EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000140003ED0	0_2_0000000140003ED0

Source: file.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018

Source: classification engine

Classification label: mal64.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Mutant created: \Sessions\1\BaseNamedObjects\cdf89ae526ad4cbd86c91c09eed01dbb

Source: C:\Users\user\Desktop\file.exe

File created: c:\Users\user\AppData\Local\Temp\setupF0B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior

Source: file.exe

Static file information: File size 5800616 > 1048576

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000000014000D0C5 push rdi; ret

0_2_000000014000D0C6

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXEZ
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE[,
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEZ
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE{
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXEW,
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\file.exe

API coverage: 0.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: qemu-ga`Y
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe`
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exeZ
Source: file.exe, file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: QEMU HARDDISK
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-gaz
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Stop reversing the programReconsider your life choicesAnd go touch some grassbasic_string::append\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKbasic_string: construction from null is not valid
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe@
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe{
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe{
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe{

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0000000140033E66 RtlAddVectoredExceptionHandler,

0_2_0000000140033E66

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x14009F39D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1400E8171	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtOpenSection: Indirect: 0x1401CB085	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x140057AC0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtQueryAttributesFile: Indirect: 0x1401CB96F	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtTerminateProcess: Indirect: 0x1401CACCC	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x14005CC8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtClose: Indirect: 0x1401CB606
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x140069067	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1400E385B	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1400DCB84	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtOpenKey: Indirect: 0x1401CA475	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1400E7F74	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtUnmapViewOfSection: Indirect: 0x1401CB3DF	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Indirect: 0x1401CCBD7	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000000014001B3C0 cpuid

0_2_000000014001B3C0

Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: wireshark.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aia.entrust.net/ts1-chain256.cer01	file.exe	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	file.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	file.exe	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	file.exe	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	file.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499933
Start date and time:	2024-08-27 18:18:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.382943668424814
TrID:	Win32 EXE PECompact compressed (generic) (41571/9) 72.19% Win64 Executable (generic) (12005/4) 20.85% Generic Win/DOS Executable (2004/3) 3.48% DOS Executable Generic (2002/1) 3.48% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	file.exe
File size:	5'800'616 bytes
MD5:	33b62d366ac20de98dedfaf74b4afefc
SHA1:	a43dbbcf422f038f2601c21112af93eb8f4514e0
SHA256:	b61490f4f0edf574703224d38c5c00b867b6191bbf09b10bf1a81b7cd8a1e9b6
SHA512:	69ac8a9b51875f9e7b30fbca176a7c6a19fd829c441dfd7db60b32c86c694f72bfcc5ff5e6334af00da3e5fc6bca65caa77baa3043d1bb18f90453abb3cc8589
SSDEEP:	98304:xFPYl0IMRuOeKBSOLLylOKg9YUfPRJhKHT4kuK7M50YfTVF47M22D3y8reeJ:zPYFM9QO3ylauyRLKHo5FF47/siQLJ
TLSH:	9446126BB223C1E8E0C5C6748853E6F16A703E609CB10387E2D67F2F7E72A407D5955A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*.............^.........@.............................p$......{....`...@...... ........ ...... .....

File Icon


Icon Hash:	7d5f56d456574db5

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: file.exePID: 6136, Parent PID: 1028

General

Target ID:	0
Start time:	12:18:53
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x140000000
File size:	5'800'616 bytes
MD5 hash:	33B62D366AC20DE98DEDFAF74B4AFEFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6136, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	3

Executed Functions

Function 0000000140012926 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 1273COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 000000014001E2B0
basic_string: construction from null is not valid, xrefs: 000000014001E2BC

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: basic_string: construction from null is not valid$basic_string::append
API String ID: 0-51681568
Opcode ID: e4397c3b6930b9924a5520cd45c54d3b21da921f88cc91742dd085a02837edf2
Instruction ID: 254df3b70ba898f083872f8466a09d87fb694a5722068a86d3c32430f7a801bc
Opcode Fuzzy Hash: e4397c3b6930b9924a5520cd45c54d3b21da921f88cc91742dd085a02837edf2
Instruction Fuzzy Hash: 6AC2D1722097C08AEB62CF26E4547DDB7E0E349BC4F888015E78D4B7A6EB7AC951C741

Function 0000000140014038 Relevance: 3.8, APIs: 3, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcmpi.MSVCRT ref: 000000014001411A
_strcmpi.MSVCRT ref: 000000014001413D

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID:
API String ID: 1439213657-0
Opcode ID: 6478c6d4964f65beee1e93171977d872161366a92a42a62ad78371c14a2ea2a6
Instruction ID: 4ca867d2de024fb3fb3777c957baba19e9a58bec0276be627981bb033fc27fea
Opcode Fuzzy Hash: 6478c6d4964f65beee1e93171977d872161366a92a42a62ad78371c14a2ea2a6
Instruction Fuzzy Hash: 96417172204A4181EB16DF27E4403EAA3A5E78DBD4F588122FB594B7F9DB7AC945C340

Non-executed Functions

Function 000000014001B3C0 Relevance: 15.1, Strings: 12, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hardware, xrefs: 000000014001B44B
random_device::random_device(const std::string&): device not available, xrefs: 000000014001B519
Genu, xrefs: 000000014001B4F5
rdseed, xrefs: 000000014001B3F3
rdrnd, xrefs: 000000014001B421
Auth, xrefs: 000000014001B4FD
default, xrefs: 000000014001B3D1
rand_s, xrefs: 000000014001B464
Genu, xrefs: 000000014001B4AB
Auth, xrefs: 000000014001B4B3
rdrand, xrefs: 000000014001B40A
random_device::random_device(const std::string&): unsupported token, xrefs: 000000014001B484

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Auth$Auth$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 0-628424350
Opcode ID: 378cee84ca307b585455462128cdee60f6ef4b4836a56a113ea2b17bd2257447
Instruction ID: 20cffc7a84d52f92458b65fbe9fe785914383ff4bccac81b965c2f6d4dcca8f3
Opcode Fuzzy Hash: 378cee84ca307b585455462128cdee60f6ef4b4836a56a113ea2b17bd2257447
Instruction Fuzzy Hash: 54313270341B0191FF669B17B8503E42361A70E7D4F989126FB4A4F2B2EB7FC90A8301

Function 000000014001E3AF Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 309
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000000014001E641
CloseHandle.KERNEL32 ref: 000000014001E8B4

Strings

y, xrefs: 000000014001E3C0
o, xrefs: 000000014001E5A1

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID: o$y
API String ID: 252777609-1694203185
Opcode ID: 3320c1d535d724476daa3b3bcf43f64028623f8b8fc58884ed297bc8bf7b71ab
Instruction ID: d310d2be97648e253c560a797166a4409d0e810537ff2c8b596c9c53910e904a
Opcode Fuzzy Hash: 3320c1d535d724476daa3b3bcf43f64028623f8b8fc58884ed297bc8bf7b71ab
Instruction Fuzzy Hash: 91E182726183C09AFB52DB26E4497DE7A90E36A7C4F888015FB894B7E6DF79C044C712

Function 00000001400093C0 Relevance: 3.5, Strings: 2, Instructions: 1034COMMON

Download Yara Rule

Strings

Infinity, xrefs: 0000000140009475
NaN, xrefs: 0000000140009494

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: 03e5a306dddbeeeb1b7bcd6f1d7722179100b0d12a4c9f3057c591ce0f2f7c41
Instruction ID: e513643950d2d026adf010862d37e6e891c38bdac2f3d449936eba6982a00318
Opcode Fuzzy Hash: 03e5a306dddbeeeb1b7bcd6f1d7722179100b0d12a4c9f3057c591ce0f2f7c41
Instruction Fuzzy Hash: DB92C5B26186808AE767CB2BB40139AB7E1F78A7D4F144125FB4A57BA5DB3DC841CB00

Function 00000001400044D8 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

std, xrefs: 00000001400046E1
string literal, xrefs: 0000000140004606

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: std$string literal
API String ID: 0-2980153874
Opcode ID: 31c2c33bcbc9904f5e1b76260ef1922e30ade7e0b3302ada7f4c53eb79f8a994
Instruction ID: 08d0ecd75d8b0914846c9277b0880bf37aac30427774259e1c6162ff30fce452
Opcode Fuzzy Hash: 31c2c33bcbc9904f5e1b76260ef1922e30ade7e0b3302ada7f4c53eb79f8a994
Instruction Fuzzy Hash: 7F81AFF2605B4045FB67DE27B8403E926D1978EBC4F588124FB49477F7EA39C9428389

Function 0000000140011F60 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 000000014001E2A0, 000000014001E2B0
basic_string: construction from null is not valid, xrefs: 000000014001E2BC

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: basic_string: construction from null is not valid$basic_string::append
API String ID: 0-51681568
Opcode ID: 49ac6315421166d47662eb3a7f04084b530b6b7f3da16f1d1fd4607c7fb4abc2
Instruction ID: 4f9f3d44f4deaeaf4c17c83abacd67b6479df0dd49da93552e9acd6a68009cf1
Opcode Fuzzy Hash: 49ac6315421166d47662eb3a7f04084b530b6b7f3da16f1d1fd4607c7fb4abc2
Instruction Fuzzy Hash: 5A51AF72608AC095EB56DB26E4547DAA7A1F789BC0F548215FF9E0B7EADF39C401CB00

Function 00000001400060F8 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_GLOBAL_, xrefs: 0000000140006136

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: _GLOBAL_
API String ID: 0-770460502
Opcode ID: 956936422d1c7ad05473a44bb1e3bd3ce99177f4b2204914644c9e1fb0a27753
Instruction ID: bb8f763f05350120496706be19415098aab6dc47a3ed471cac6e69943cdbb561
Opcode Fuzzy Hash: 956936422d1c7ad05473a44bb1e3bd3ce99177f4b2204914644c9e1fb0a27753
Instruction Fuzzy Hash: 84C1D3B2A04BC09EFB26CF76A9403DD37A6F3497C8F444125EF4917BAADB3486568740

Function 0000000140005797 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f4d3e3b6ea6ce0071589385bd2e5569065b7d288e5103ce0ef4d98c09b1191
Instruction ID: f25d7bb0f82ece662791ba465fc948e5123c80d4cb0382487ea2e497f8d70737
Opcode Fuzzy Hash: 53f4d3e3b6ea6ce0071589385bd2e5569065b7d288e5103ce0ef4d98c09b1191
Instruction Fuzzy Hash: 8FF1A3F160574485FB67FA63B4513EB2786979FBD2F948022BF49177E2DA38CA418340

Function 0000000140003ED0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8559d96e6e51d5c5e6f0218a75207b2d72db76442868babdd1ae3134e8af195
Instruction ID: 1d4386e255450bb2d681d213033d2d38db775dc34ef659bafe9b2e3d91d34419
Opcode Fuzzy Hash: a8559d96e6e51d5c5e6f0218a75207b2d72db76442868babdd1ae3134e8af195
Instruction Fuzzy Hash: 8AD1A3F270568541FBBBCE57B4813E92692979DBC1F988025BF4A077E7DA38C9818348

Function 0000000140012155 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238b30aeb8dff5df4948e7232ea771a0018db09d69e6177ea1e0048423bdd0fa
Instruction ID: 9fff2e492fb6c8d5dc76a4d4fea15418ea31cc5ab0de00591d8a9dafc44b8327
Opcode Fuzzy Hash: 238b30aeb8dff5df4948e7232ea771a0018db09d69e6177ea1e0048423bdd0fa
Instruction Fuzzy Hash: 83C1E4733096C086EB62CB2AD04479DB7A1F788BC4F98C111E7994BBE5DB7AD4A5C700

Function 0000000140014EB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7457f964c1bf35bb69f5a67ed7b190f2082122272bf7d94a387fe0eeab0b8647
Instruction ID: 54c048d2a0c80fbad6ca4988327f6b1c736812512ec099045581b86f7f3f2335
Opcode Fuzzy Hash: 7457f964c1bf35bb69f5a67ed7b190f2082122272bf7d94a387fe0eeab0b8647
Instruction Fuzzy Hash: 61B17A72609B8081EA63AA56A0403DFA7A0F78E7C5F544016FF8D4F7BADE3AC544CB41

Function 000000014001E0F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400998c6cad9ba0cf9736015e9ec36b1a64c81ea0d99b33b7df95269d22d9b36
Instruction ID: 8d1810299d0ac68bfd96aef7d18b53adc8dfcfb2745184dff88143f9f623d615
Opcode Fuzzy Hash: 400998c6cad9ba0cf9736015e9ec36b1a64c81ea0d99b33b7df95269d22d9b36
Instruction Fuzzy Hash: B5118EB161164591FA0AAF23E8517ED3362AB4DBD4F489522FF0A0B3F6DE39C942C310

Function 0000000140033E66 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2dc2b0528ab3557eaf43f494facf060ef3949a0ee955ff0fd83f2cf80ef001
Instruction ID: b74631f765c6c4a1fd351000ada47d106d7ecdd5e0833f1b077419b8a9176487
Opcode Fuzzy Hash: bd2dc2b0528ab3557eaf43f494facf060ef3949a0ee955ff0fd83f2cf80ef001
Instruction Fuzzy Hash: DFB01233458C80E8CE4177429501FDD9710E3C5355F0D10117F8101666DE28D080CF00

Function 000000014000BB73 Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlLeaveCriticalSection.NTDLL ref: 000000014000BBA0
CloseHandle.KERNEL32 ref: 000000014000BBC8
CloseHandle.KERNEL32 ref: 000000014000BBD1
RtlLeaveCriticalSection.NTDLL ref: 000000014000BBD6
CloseHandle.KERNEL32 ref: 000000014000BBE3
CloseHandle.KERNEL32 ref: 000000014000BBE8
CloseHandle.KERNEL32 ref: 000000014000BBEE

Part of subcall function 000000014000B440: RtlLeaveCriticalSection.NTDLL ref: 000000014000B47C

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalLeaveSection
String ID:
API String ID: 303558334-0
Opcode ID: eea3d59772bed76da71c05364581cc4fac1333735410b9f329a274ce7f705582
Instruction ID: db9bc3ea2b401fe40534188740626adc7fc6ea51467dbe620a38848154d48bcc
Opcode Fuzzy Hash: eea3d59772bed76da71c05364581cc4fac1333735410b9f329a274ce7f705582
Instruction Fuzzy Hash: 3311C67230124546FA57EB37FD107E962545B59BE5F444532BF2A473F1DE38D9818300

Function 000000014000E985 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 000000014000E995
_errno.MSVCRT ref: 000000014000E9E2
CloseHandle.KERNEL32 ref: 000000014000E9EF
_errno.MSVCRT ref: 000000014000E9F9

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID: _errno$CloseHandle
String ID:
API String ID: 3673919685-0
Opcode ID: 48675a428d42c76c5d2ad6c88e1a52fb363fd78da7381e50e0cf55f31e60c89e
Instruction ID: 729afc2214a926c83ba5e71aeb976cb94d543333c3efe42ea47694f92644d168
Opcode Fuzzy Hash: 48675a428d42c76c5d2ad6c88e1a52fb363fd78da7381e50e0cf55f31e60c89e
Instruction Fuzzy Hash: EF0162B170538146FBA7AB93B8953E92250AB5EBD0F154125FF05273F1DD7D1C854311

Function 000000014001B2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

random_device could not be read, xrefs: 000000014001B5D2

Memory Dump Source

Source File: 00000000.00000002.2048346570.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048365992.0000000140020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048394087.000000014002D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048407718.0000000140031000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048429583.0000000140054000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048478721.00000001400FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048525659.0000000140194000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048563792.0000000140205000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048578943.000000014020C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048597675.0000000140230000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048611566.0000000140234000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.0000000140235000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048624572.000000014023A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_file.jbxd

Yara matches

Similarity

API ID:
String ID: random_device could not be read
API String ID: 0-883157155
Opcode ID: 88df9a31d7d7e8bfc55b3df461b1b2ebd8e5fa8ac799ae49b87bd055495dff3b
Instruction ID: 6202fbb7eab86ef41cfe1eb285f4146c467e34ba76d7e951f446d23e05e54ad0
Opcode Fuzzy Hash: 88df9a31d7d7e8bfc55b3df461b1b2ebd8e5fa8ac799ae49b87bd055495dff3b
Instruction Fuzzy Hash: 5B018F7670590489EA139B2BE5013E86392974CBD8F4C4121EF0C4B3B1EA36C886C710

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6136, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6136, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 0000000140012926 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 1273COMMON

Function 0000000140014038 Relevance: 3.8, APIs: 3, Instructions: 98COMMON

Control-flow Graph

Non-executed Functions

Function 000000014001B3C0 Relevance: 15.1, Strings: 12, Instructions: 97COMMON

Windows Analysis Report
file.exe

Function 0000000140014038 Relevance: 3.8, APIs: 3, Instructions: 98
COMMON

Function 000000014001B3C0 Relevance: 15.1, Strings: 12, Instructions: 97
COMMON

Function 000000014001E3AF Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 309
sleepCOMMON

Function 000000014000BB73 Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Function 000000014000E985 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Function 000000014001B2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON