Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a.exe

Overview

General Information

Sample name:a.exe
Analysis ID:1502378
MD5:b73211e7d1f0a1b73ce2233874a04104
SHA1:7078418affd76b8e201fe1136b71f2c5d0c07022
SHA256:a7ca417a6f03578eb526c63f2d3ae4e189992886aea5052666e801ab4988385f
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • a.exe (PID: 4612 cmdline: "C:\Users\user\Desktop\a.exe" MD5: B73211E7D1F0A1B73CE2233874A04104)
    • cmd.exe (PID: 428 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2316 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • WindowsService.exe (PID: 3628 cmdline: "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" MD5: 5D4F30A017EDE40DD8BB828498148DC2)
  • WindowsService.exe (PID: 5520 cmdline: "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" MD5: 5D4F30A017EDE40DD8BB828498148DC2)
  • WindowsService.exe (PID: 1408 cmdline: "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" MD5: 5D4F30A017EDE40DD8BB828498148DC2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x3454:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar
Sigma detected: Direct Autorun Keys Modification
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 428, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, ProcessId: 2316, ProcessName: reg.exe
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 428, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f, ProcessId: 2316, ProcessName: reg.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: a.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted file
Source: a.exeReversingLabs: Detection: 84%
Source: a.exeVirustotal: Detection: 63%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: a.exeJoe Sandbox ML: detected
Source: a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: 1D 00 00 00 Jump to behavior

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: a.exeStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WindowsService.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Source: 00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal88.winEXE@11/3@0/0
Source: C:\Users\user\Desktop\a.exeFile created: C:\Users\user\AppData\Roaming\SystemWindows\Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Users\user\Desktop\a.exeFile created: C:\Users\user\AppData\Local\Temp\JAVWK.txtJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "
Source: a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: a.exeReversingLabs: Detection: 84%
Source: a.exeVirustotal: Detection: 63%
Source: C:\Users\user\Desktop\a.exeFile read: C:\Users\user\Desktop\a.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\a.exe "C:\Users\user\Desktop\a.exe"
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "Jump to behavior
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /fJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeSection loaded: lz32.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\a.exeCode function: 0_2_00401BC4 push 00401100h; ret 0_2_00401BD7
Source: C:\Users\user\Desktop\a.exeCode function: 0_2_00401A88 push 00401100h; ret 0_2_00401B87
Source: C:\Users\user\Desktop\a.exeCode function: 0_2_00401B88 push 00401100h; ret 0_2_00401B9B
Source: C:\Users\user\Desktop\a.exeCode function: 0_2_00401B9C push 00401100h; ret 0_2_00401BAF
Source: C:\Users\user\Desktop\a.exeCode function: 0_2_00401BB0 push 00401100h; ret 0_2_00401BC3
Source: C:\Users\user\Desktop\a.exeFile created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebarJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebarJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "Jump to behavior
Source: C:\Users\user\Desktop\a.exeProcess created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /fJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502378 Sample: a.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 88 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 2 other signatures 2->31 7 a.exe 5 2->7         started        10 WindowsService.exe 2->10         started        12 WindowsService.exe 2->12         started        process3 file4 23 C:\Users\user\AppData\...\WindowsService.exe, PE32 7->23 dropped 14 WindowsService.exe 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 33 Antivirus detection for dropped file 14->33 35 Protects its processes via BreakOnTermination flag 14->35 37 Machine Learning detection for dropped file 14->37 19 conhost.exe 17->19         started        21 reg.exe 1 1 17->21         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
a.exe84%ReversingLabsWin32.Trojan.Daws
a.exe63%VirustotalBrowse
a.exe100%AviraTR/Dropper.Gen
a.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1502378
Start date and time:2024-09-01 02:06:04 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 52s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:a.exe
Detection:MAL
Classification:mal88.winEXE@11/3@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
02:06:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe
02:07:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe
20:07:28API Interceptor8870x Sleep call for process: WindowsService.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\JAVWK.bat

Download File
Process:C:\Users\user\Desktop\a.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):158
Entropy (8bit):5.000270699299717
Encrypted:false
SSDEEP:3:ctm2KD9so3KRfyM1K7eDoKQHEXF9idJfNUkh4EaKC5SLBKSnlFmKDyn:cCtuH1j0KnidJ19aZ5NSL9Dy
MD5:78632460B46D8B0EA070774654B95C26
SHA1:311345DA2B5712AEB7F6637ECCE4B2CB13B565EF
SHA-256:81A1033B0ED2CE2784CB665797B65BAF6AF1D326F74DC4736307FDDBC2BEF50A
SHA-512:202C9915D39700AAF87917E9A6FDB283DE054DADBA395E4277189462E20B830F84A172A6AB786958D993B23DD48016CE32DE16B141A5B4E3D2C46B068964E757
Malicious:false
Reputation:low
Preview:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f..

C:\Users\user\AppData\Local\Temp\JAVWK.txt

Download File
Process:C:\Users\user\Desktop\a.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):158
Entropy (8bit):5.000270699299717
Encrypted:false
SSDEEP:3:ctm2KD9so3KRfyM1K7eDoKQHEXF9idJfNUkh4EaKC5SLBKSnlFmKDyn:cCtuH1j0KnidJ19aZ5NSL9Dy
MD5:78632460B46D8B0EA070774654B95C26
SHA1:311345DA2B5712AEB7F6637ECCE4B2CB13B565EF
SHA-256:81A1033B0ED2CE2784CB665797B65BAF6AF1D326F74DC4736307FDDBC2BEF50A
SHA-512:202C9915D39700AAF87917E9A6FDB283DE054DADBA395E4277189462E20B830F84A172A6AB786958D993B23DD48016CE32DE16B141A5B4E3D2C46B068964E757
Malicious:false
Preview:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f..

C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe

Download File
Process:C:\Users\user\Desktop\a.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):24576
Entropy (8bit):3.5336217424973895
Encrypted:false
SSDEEP:384:J4/UCC8VcAaYRiUiiV7fhqc45u8gNrLRnmhE:JUUC151Npquv3RnsE
MD5:5D4F30A017EDE40DD8BB828498148DC2
SHA1:5EC7B9B20ED7AAC843C7253D538DBE0CEDBC2709
SHA-256:116B86A3FE22611289346AEC969E4F91895FFB40092391F70C5733C9DB32DEEB
SHA-512:0299C3EEDDE3A69DE4165BF36897F6B92F8E5843442344C0B4ABEB048347CAD695D1BB01EB9AD54FF5CFAA5A747AE2E6D4E33C373E1ED940529B66EF5EF9D58D
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L.....O.................@... ...............P....@..........................p...............................................H..(....`...............................................................................................................text....:.......@.................. ..`.data...X....P......................@....rsrc........`.......P..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):3.5332103118049836
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:a.exe
File size:24'576 bytes
MD5:b73211e7d1f0a1b73ce2233874a04104
SHA1:7078418affd76b8e201fe1136b71f2c5d0c07022
SHA256:a7ca417a6f03578eb526c63f2d3ae4e189992886aea5052666e801ab4988385f
SHA512:441a6cf825f7e9904c6b184c75e0eb5e0098bdab35158a3089af9d862732ee02388c94ee584256217fe7da81172c8c4a43cfe655847d26848d795a76f359f832
SSDEEP:384:J4/UCC8VcAaYRiUiiV7fhqc45u8gNrLRnmhE:JUUC151Npquv3RnsE
TLSH:C9B28313F3E91625F2D786711CBAC3D567A7BC680F03891F2294762E2C31E628C25B67
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L......O.................@... ...............P....@........................

File Icon

Icon Hash:00869eb0b230201f

Static PE Info

General

Entrypoint:0x40110c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4FB6CFF4 [Fri May 18 22:40:52 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:3dcbc7d0ae83594aee771cb6c6621c0f

Entrypoint Preview

Instruction
push 004012B8h
call 00007F70C0CB6C55h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xchg eax, esi
aaa
pushad
xchg byte ptr [ecx], bl
xchg eax, ecx
dec edx
mov al, FFh
ret
mov dh, 69h
cmp eax, 0000ACCCh
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
mov bh, 00h
add byte ptr [eax], al
inc ebx
push edx
dec ecx
push esp
dec ecx
inc ebx
add byte ptr [ebx+00h], dh
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add edx, edi
mul cl
xchg eax, edx
push 00000070h
les ecx, fword ptr [edx-56h]
jecxz 00007F70C0CB6C95h
salc
loope 00007F70C0CB6CCCh
pop eax
dec edx
call far 9426h : E9109322h
inc ecx
lodsd
jnbe 00007F70C0CB6CBDh
sub esi, dword ptr [esi-63h]
sbb dl, byte ptr [ecx+33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [726F4600h], al
insd
xor dword ptr [eax], eax
or eax, FFFFFF03h
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x48d40x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x902.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3a080x40007468c4fba3ecf36c1b5c02cecfd5b1fdFalse0.3729248046875COM executable for DOS4.404431912428191IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x50000xc580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x9020x1000b42ab98ca2a71e137cf0e268fecf841aFalse0.178955078125data1.9873830905268872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x61980x130Device independent bitmap graphic, 32 x 64 x 1, image size 2560.3223684210526316
RT_ICON0x62c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.19623655913978494
RT_ICON0x65b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.4155405405405405
RT_GROUP_ICON0x66d80x30data1.0
RT_VERSION0x67080x1c0ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.515625
RT_DLGINCLUDE0x68c80x3aASCII text, with no line terminatorsIcelandicIceland1.0344827586206897

Imports

DLLImport
MSVBVM60.DLLMethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, ProcCallEngine

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States
IcelandicIceland

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 1, 2024 02:07:12.316154957 CEST53495011.1.1.1192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:20:06:50
Start date:31/08/2024
Path:C:\Users\user\Desktop\a.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\a.exe"
Imagebase:0x400000
File size:24'576 bytes
MD5 hash:B73211E7D1F0A1B73CE2233874A04104
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:low
Has exited:false

General

Target ID:2
Start time:20:06:53
Start date:31/08/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "
Imagebase:0x790000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:20:06:53
Start date:31/08/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:20:06:53
Start date:31/08/2024
Path:C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):true
Commandline:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Imagebase:0xfb0000
File size:59'392 bytes
MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:20:06:53
Start date:31/08/2024
Path:C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Imagebase:0x400000
File size:24'576 bytes
MD5 hash:5D4F30A017EDE40DD8BB828498148DC2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 100%, Joe Sandbox ML
Reputation:low
Has exited:false

General

Target ID:6
Start time:20:07:04
Start date:31/08/2024
Path:C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Imagebase:0x400000
File size:24'576 bytes
MD5 hash:5D4F30A017EDE40DD8BB828498148DC2
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:8
Start time:20:07:12
Start date:31/08/2024
Path:C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Imagebase:0x400000
File size:24'576 bytes
MD5 hash:5D4F30A017EDE40DD8BB828498148DC2
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.1%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:1
    Total number of Limit Nodes:0
    execution_graph 87 40110c 6CF9AC91

    Callgraph

    Executed Functions

    Function 0040110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 40110c-401132 6CF9AC91
    APIs
    • 6CF9AC91.MSVBVM60(VB5!6&*), ref: 00401111
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3251903646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3251861516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3251936059.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3251966820.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_a.jbxd
    Similarity
    • API ID:
    • String ID: VB5!6&*
    • API String ID: 0-3593831657
    • Opcode ID: 223101344a84721efd189606d21c3e1f0fa014877028f2b1ee95838c1109afbe
    • Instruction ID: d4e82d6563696c86e2670daff9a4c97e594fd1f3ae94caee0b706b84b042bd70
    • Opcode Fuzzy Hash: 223101344a84721efd189606d21c3e1f0fa014877028f2b1ee95838c1109afbe
    • Instruction Fuzzy Hash: 4AE02BA158E7E02EC3031238082188A3FB40C8720038B01EBC080EF2F3E288480AD3A2