Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lQao7mmqva.exe

Overview

General Information

Sample name:lQao7mmqva.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Analysis ID:1502152
MD5:9ca62be8cc46eb148f6d758e41e65f50
SHA1:c0299514ef98f3ba819380a43ca6376d912a4a69
SHA256:33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
May drop file containing decryption instructions (likely related to ransomware)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • lQao7mmqva.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\lQao7mmqva.exe" MD5: 9CA62BE8CC46EB148F6D758E41E65F50)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: lQao7mmqva.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: lQao7mmqva.exeReversingLabs: Detection: 58%
Source: lQao7mmqva.exeVirustotal: Detection: 53%Perma Link
Source: lQao7mmqva.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: lQao7mmqva.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Spam, unwanted Advertisements and Ransom Demands

barindex
May drop file containing decryption instructions (likely related to ransomware)
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327927242.0000000001224000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.2628668752.00000000068CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal45.rans.winEXE@1/0@1/0
Source: lQao7mmqva.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lQao7mmqva.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: lQao7mmqva.exeReversingLabs: Detection: 58%
Source: lQao7mmqva.exeVirustotal: Detection: 53%
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: drprov.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: dlnashext.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: playtodevice.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: devdispitemprovider.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wpdshext.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: audiodev.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmvcore.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: wmasf.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE054212-3535-4430-83ED-D501AA6680E6}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: lQao7mmqva.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: lQao7mmqva.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lQao7mmqva.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lQao7mmqva.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lQao7mmqva.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lQao7mmqva.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000003.2157430246.00000000012AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}11ee-8c18-806e6f6e6963}#00
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#Cdv
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s\f
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D0:
Source: lQao7mmqva.exe, 00000000.00000003.2819757586.0000000001288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}VV
Source: lQao7mmqva.exe, 00000000.00000003.2158143159.0000000001289000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}000C5E500000#{53f5630d-b6b
Source: lQao7mmqva.exe, 00000000.00000003.3059369411.0000000001268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f~~
Source: lQao7mmqva.exe, 00000000.00000003.3252982197.000000000695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0:
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: lQao7mmqva.exe, 00000000.00000003.2602292122.0000000001268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
lQao7mmqva.exe58%ReversingLabsWin32.Trojan.Generic
lQao7mmqva.exe53%VirustotalBrowse
lQao7mmqva.exe100%AviraHEUR/AGEN.1317223

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
18.31.95.13.in-addr.arpa0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
18.31.95.13.in-addr.arpa
unknown
unknownfalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1502152
Start date and time:2024-08-31 08:32:38 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:lQao7mmqva.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Detection:MAL
Classification:mal45.rans.winEXE@1/0@1/0

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.168091451423199
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:lQao7mmqva.exe
File size:52'224 bytes
MD5:9ca62be8cc46eb148f6d758e41e65f50
SHA1:c0299514ef98f3ba819380a43ca6376d912a4a69
SHA256:33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
SHA512:04a0a8e714d97f6a840c75f70a0fe44fa1528550f3d6e0db8dacf8c60c0808ebdfd3fca090d01542ebb5b386df3b1b328cc951b7a61a6cd9c1d552d6154e8fa9
SSDEEP:768:88j8Psui2oVVx0x2E9Z1isqlVIJJWJtPAQGlS6l5sl3EGK5qnW:8W80xqZqYKPAlZGlW5q
TLSH:2A337C123AE1C172D06655752979E3900F7FB9252BA2C38BBB8402AE5F713D0DE3935B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S].".<.q.<.q.<.q.nnq.<.q.n.q.<.q.niq^<.q0..q.<.q.<.qz<.q.n`q.<.q.n~q.<.q.n{q.<.qRich.<.q................PE..L...]1.f...........

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x402513
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66D0315D [Thu Aug 29 08:29:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:b3f42306582713b9fca4d565ad9eff9a

Entrypoint Preview

Instruction
call 00007F3F98F1A673h
jmp 00007F3F98F180EDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0040CF78h], eax
mov dword ptr [0040CF74h], ecx
mov dword ptr [0040CF70h], edx
mov dword ptr [0040CF6Ch], ebx
mov dword ptr [0040CF68h], esi
mov dword ptr [0040CF64h], edi
mov word ptr [0040CF90h], ss
mov word ptr [0040CF84h], cs
mov word ptr [0040CF60h], ds
mov word ptr [0040CF5Ch], es
mov word ptr [0040CF58h], fs
mov word ptr [0040CF54h], gs
pushfd
pop dword ptr [0040CF88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040CF7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0040CF80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0040CF8Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0040CEC8h], 00010001h
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CE7Ch], eax
mov dword ptr [0040CE70h], C0000409h
mov dword ptr [0040CE74h], 00000001h
mov eax, dword ptr [0040C004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040C008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000ACh]

Rich Headers

Programming Language:
  • [C++] VS2008 build 21022
  • [ASM] VS2008 build 21022
  • [ C ] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [RES] VS2008 build 21022
  • [LNK] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb1a40x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x534.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x894.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xaea00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x90000x184.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x74f80x7600ba7f3d35363f9dc8a6b9019b4f628199False0.6163268008474576data6.621376816261256IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x90000x2a4a0x2c00fd8b65923e1c1c752bbeebb1094d4142False0.369140625DOS executable (COM, 0x8C-variant)5.029612975426491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xc0000x1a1c0x1000f8951ba6ec3e3f6056de8854b7aa1b92False0.25634765625data2.8251938250407314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xe0000x5340x600a8640dd72a77ea7ee5b95427c4f90e67False0.423828125data5.076954337528729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xf0000xe7c0x10005a20d1d5c1e2d3fbd87017e9b857de1dFalse0.471435546875data4.430088398970326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
AFX_DIALOG_LAYOUT0xe10c0x2dataEnglishUnited States5.0
RT_DIALOG0xe1100x12cdataEnglishUnited States0.5466666666666666
RT_MANIFEST0xe23c0x2f5ASCII text, with very long lines (757), with no line terminatorsEnglishUnited States0.4808454425363276

Imports

DLLImport
KERNEL32.dllGetDriveTypeW, SetEndOfFile, SetErrorMode, InterlockedIncrement, GetQueuedCompletionStatus, SetFilePointerEx, WaitForSingleObject, GetLogicalDrives, FindFirstFileExW, WriteFile, Sleep, ReadFile, CreateFileW, lstrcmpW, lstrlenW, GetFileSizeEx, GetLastError, GetCurrentDirectoryW, MoveFileW, FindClose, PostQueuedCompletionStatus, GetSystemInfo, WaitForMultipleObjects, lstrcmpiW, CreateIoCompletionPort, FindNextFileW, CloseHandle, DeleteFileW, lstrcpyW, CreateThread, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetModuleHandleW, GetProcAddress, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA
USER32.dllEndDialog, SendDlgItemMessageW, MessageBoxW, SendMessageW, DialogBoxParamW
SHELL32.dllSHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW
SHLWAPI.dllwnsprintfW, StrStrW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 31, 2024 08:33:59.539592981 CEST5363767162.159.36.2192.168.2.6
Aug 31, 2024 08:34:00.004774094 CEST5877953192.168.2.61.1.1.1
Aug 31, 2024 08:34:00.012096882 CEST53587791.1.1.1192.168.2.6

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Aug 31, 2024 08:34:00.004774094 CEST192.168.2.61.1.1.10x4e7Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Aug 31, 2024 08:34:00.012096882 CEST1.1.1.1192.168.2.60x4e7Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:02:33:24
Start date:31/08/2024
Path:C:\Users\user\Desktop\lQao7mmqva.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\lQao7mmqva.exe"
Imagebase:0xf90000
File size:52'224 bytes
MD5 hash:9CA62BE8CC46EB148F6D758E41E65F50
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

No disassembly