Edit tour

Windows Analysis Report
Stub.exe

Overview

General Information

Sample name:	Stub.exe
Analysis ID:	1502472
MD5:	e50e5c919322ad54bd5ed6eefba01619
SHA1:	988a6155484ea1e07883a1dd97ff1d97083adc5a
SHA256:	e4384cce1f9ea5e5c1e2fdb0af7ed8f25724c2618e462ae9fced298c24d7b095
Tags:	asyncratexe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Stub.exe (PID: 3128 cmdline: "C:\Users\user\Desktop\Stub.exe" MD5: E50E5C919322AD54BD5ED6EEFBA01619)

cmd.exe (PID: 3964 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1248 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4128 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3712 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

gang.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\gang.exe" MD5: E50E5C919322AD54BD5ED6EEFBA01619)

gang.exe (PID: 7116 cmdline: C:\Users\user\AppData\Roaming\gang.exe MD5: E50E5C919322AD54BD5ED6EEFBA01619)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Stub.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\gang.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Stub.exe.7f0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Stub.exe.2d03200.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Stub.exe", ParentImage: C:\Users\user\Desktop\Stub.exe, ParentProcessId: 3128, ParentProcessName: Stub.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit, ProcessId: 3964, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3964, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' , ProcessId: 1248, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Stub.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\gang.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gang.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\gang.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: Stub.exe

Virustotal: Detection: 59%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gang.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Stub.exe

Joe Sandbox ML: detected

Source: Stub.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Stub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Stub.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Stub.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Stub.exe.2d03200.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\gang.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.22:26706

Source: Joe Sandbox View

IP Address: 147.185.221.22 147.185.221.22

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: com-distinct.gl.at.ply.gg

Source: Stub.exe, 00000000.00000002.2035564774.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Stub.exe	Process information set: 00 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: 01 00 00 00			Jump to behavior

Source: C:\Users\user\AppData\Roaming\gang.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_01080774 NtQueryInformationProcess,	0_2_01080774
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_010807C4 NtQueryInformationProcess,	0_2_010807C4
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_01081792 NtQueryInformationProcess,	0_2_01081792
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_010807AA NtQueryInformationProcess,	0_2_010807AA
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_010823C0 NtQueryInformationProcess,	0_2_010823C0
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_01220774 NtQueryInformationProcess,	8_2_01220774
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_012223C8 NtQueryInformationProcess,	8_2_012223C8
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_01221791 NtQueryInformationProcess,	8_2_01221791
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_012223C0 NtQueryInformationProcess,	8_2_012223C0
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_028107C4 NtQueryInformationProcess,	9_2_028107C4
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02810774 NtQueryInformationProcess,	9_2_02810774
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02811797 NtQueryInformationProcess,	9_2_02811797
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02811D4F NtQueryInformationProcess,	9_2_02811D4F

Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_010869A8	0_2_010869A8
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_01081848	0_2_01081848
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_01087278	0_2_01087278
Source: C:\Users\user\Desktop\Stub.exe	Code function: 0_2_01086660	0_2_01086660
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_012269A8	8_2_012269A8
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_01227278	8_2_01227278
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 8_2_01226660	8_2_01226660

Source: Stub.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Stub.exe, OqYABVnrsXllVHT.cs	Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77
Source: gang.exe.0.dr, OqYABVnrsXllVHT.cs	Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, OqYABVnrsXllVHT.cs	Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77

Source: gang.exe.0.dr, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: gang.exe.0.dr, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Stub.exe, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Stub.exe, dfHxNbZDwC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/5@1/1

Source: C:\Users\user\Desktop\Stub.exe

File created: C:\Users\user\AppData\Roaming\gang.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gang.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gang.exe	Mutant created: \Sessions\1\BaseNamedObjects\SuperBoo_mtex_920393
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03

Source: C:\Users\user\Desktop\Stub.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""

Source: Stub.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Stub.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Stub.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Stub.exe

Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\Stub.exe

File read: C:\Users\user\Desktop\Stub.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Stub.exe "C:\Users\user\Desktop\Stub.exe"
Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gang.exe C:\Users\user\AppData\Roaming\gang.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe"
Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Stub.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Stub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Stub.exe, uooxPsfrCkDz.cs	.Net Code: eMGTwYJKwJLOb
Source: gang.exe.0.dr, uooxPsfrCkDz.cs	.Net Code: eMGTwYJKwJLOb
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, uooxPsfrCkDz.cs	.Net Code: eMGTwYJKwJLOb

Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02811AE0 push edx; retf	9_2_02811AEE
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02810812 push ecx; retf	9_2_02810813
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_0281081D push ecx; retf	9_2_0281081F
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02810844 push esp; retf	9_2_02810846
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02811848 push ecx; retf	9_2_02811856
Source: C:\Users\user\AppData\Roaming\gang.exe	Code function: 9_2_02813D5D push esp; retf	9_2_02813D6E

Source: Stub.exe, DplwvdqGVLVF.cs	High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: Stub.exe, RvjpCZIkLLBwzlL.cs	High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'
Source: gang.exe.0.dr, DplwvdqGVLVF.cs	High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: gang.exe.0.dr, RvjpCZIkLLBwzlL.cs	High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, DplwvdqGVLVF.cs	High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, RvjpCZIkLLBwzlL.cs	High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'

Source: C:\Users\user\Desktop\Stub.exe

File created: C:\Users\user\AppData\Roaming\gang.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'

Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Roaming\gang.exe

Section loaded: OutputDebugStringW count: 1954

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Stub.exe, 00000000.00000002.2035564774.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Stub.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\gang.exe	Window / User API: threadDelayed 4483	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Window / User API: threadDelayed 4607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Window / User API: threadDelayed 427	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe TID: 4984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 5768	Thread sleep time: -4483000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 5756	Thread sleep time: -4607000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\gang.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Stub.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: gang.exe, 00000008.00000002.3221641595.0000000005A7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Stub.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Stub.exe

Code function: 0_2_010878B0 CheckRemoteDebuggerPresent,

0_2_010878B0

Source: C:\Users\user\Desktop\Stub.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe	Queries volume information: C:\Users\user\Desktop\Stub.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Queries volume information: C:\Users\user\AppData\Roaming\gang.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe	Queries volume information: C:\Users\user\AppData\Roaming\gang.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Stub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Stub.exe	59%	Virustotal		Browse
Stub.exe	100%	Avira	TR/Dropper.Gen
Stub.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gang.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\gang.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gang.exe	66%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Roaming\gang.exe	59%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
com-distinct.gl.at.ply.gg	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
com-distinct.gl.at.ply.gg	147.185.221.22	true	false	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Stub.exe, 00000000.00000002.2035564774.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.22	com-distinct.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502472
Start date and time:	2024-09-01 18:15:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Stub.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:16:27	API Interceptor	458416x Sleep call for process: gang.exe modified
18:15:55	Task Scheduler	Run new task: gang path: "C:\Users\user\AppData\Roaming\gang.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.22	abomr3e.exe	Get hash	malicious	XWorm	Browse
	ChenzeCheats.exe	Get hash	malicious	XWorm	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Ozj6OxEatlic.exe	Get hash	malicious	XWorm	Browse
	Neverlose.exe	Get hash	malicious	XWorm	Browse
	Solara.exe	Get hash	malicious	XWorm	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	dsjjzgRwZe.exe	Get hash	malicious	Njrat	Browse
	22.08.2024.exe	Get hash	malicious	Xmrig	Browse
	SolaraBootstrapper.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	147.185.221.21
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	147.185.221.21
	stub (5).bat	Get hash	malicious	Unknown	Browse	147.185.221.19
	MicrosoftEdgeWebview2.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	abomr3e.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.bat	Get hash	malicious	Unknown	Browse	147.185.221.21
	ChenzeCheats.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	Image Logger Installer.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.21
	Ozj6OxEatlic.exe	Get hash	malicious	XWorm	Browse	147.185.221.22

Process:	C:\Users\user\Desktop\Stub.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.348505694476449
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
MD5:	A65F13C4355387C4645D260206AE915F
SHA1:	F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
SHA-256:	DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
SHA-512:	0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gang.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gang.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat

Download File

Process:	C:\Users\user\Desktop\Stub.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.981753004557284
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oUkh4EaKC5rAIvmqRDUkh4E2J5xAInTRIOEm5ZPy:hWKqTtT69aZ5rAIvmq1923fTvEm5k
MD5:	49985256B303ACFEF78497CFA757B318
SHA1:	2D051EBE38C2DF4F6B000D968BC09710987D2314
SHA-256:	7E773892955B22127EF14BBA8C885AD08C34B06D0116518B50A507CD736A160A
SHA-512:	DCBEEDEFD1BC8054B7B569E9AFB0C236DFBB1EE35FBAFFA6587E62CA4F454EC711CC5DD875D74769ECA7075C325B059CC31EB11FBADB152604677F843422BABE
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\gang.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpAD4A.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\gang.exe

Download File

Process:	C:\Users\user\Desktop\Stub.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	5.950435551429037
Encrypted:	false
SSDEEP:	1536:4EKoM1cSSTTGBfu4maBqJubMo/ZlB9wyaeXAFmf+:XK4aBjmaBqJubMsp97hXAQm
MD5:	E50E5C919322AD54BD5ED6EEFBA01619
SHA1:	988A6155484EA1E07883A1DD97FF1D97083ADC5A
SHA-256:	E4384CCE1F9EA5E5C1E2FDB0AF7ED8F25724C2618E462AE9FCED298C24D7B095
SHA-512:	5E017CCCA9ABECCF8837C4C249B09019DB8AD06E041B5A3D14D97B5CB0E16C57651E548936B872171EAC43C8D16BC864E4726C6431E6A5FF947B68163F395BE5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\gang.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................N.... ... ....@.. .......................`............`.....................................O.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H........x.................................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~"......"....~#......#....~$......$....~%......%....~&......&....~'......'....~(......(....~)....~..........~+......+....~,......,....(Y......2~.....oZ....s.....)....(=...-.(>...-.(?...-.(;...-.(<...,..(....V(....s.... ...o....b~-...,.~-...o......-...f~....(....,.(D...,.(T....r.,.pr...pr...p(.... .a.!.(....~....(.....2...*.s.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.950435551429037
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Stub.exe
File size:	61'952 bytes
MD5:	e50e5c919322ad54bd5ed6eefba01619
SHA1:	988a6155484ea1e07883a1dd97ff1d97083adc5a
SHA256:	e4384cce1f9ea5e5c1e2fdb0af7ed8f25724c2618e462ae9fced298c24d7b095
SHA512:	5e017ccca9abeccf8837c4c249b09019db8ad06e041b5a3d14d97b5cb0e16c57651e548936b872171eac43c8d16bc864e4726c6431e6a5ff947b68163f395be5
SSDEEP:	1536:4EKoM1cSSTTGBfu4maBqJubMo/ZlB9wyaeXAFmf+:XK4aBjmaBqJubMsp97hXAQm
TLSH:	84537D043FBA422DE2BE5B7860E1304506BB91933A03DBF91CD941C727877D79A21EE9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................N.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41044e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64AB7FC1 [Mon Jul 10 03:49:21 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x103fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe454	0xe600	a688678a9c4250b2b5988ff773a9f930	False	0.5197180706521739	data	6.0132468928458485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x7e4	0x800	74eef6c1cb627ee5a576a756707f8526	False	0.4150390625	data	4.805813992760355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	b5ea470c0657070d8e2c71b9f07957b5	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1236c	0x478	exported SGML document, Unicode text, UTF-8 (with BOM) text			0.4423076923076923

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 18:16:01.038258076 CEST	49704	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:01.043301105 CEST	26706	49704	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:01.043396950 CEST	49704	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:01.072412014 CEST	49704	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:01.077299118 CEST	26706	49704	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:22.446301937 CEST	26706	49704	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:22.446408987 CEST	49704	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:27.468947887 CEST	49704	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:27.469775915 CEST	49711	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:27.474178076 CEST	26706	49704	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:27.475507021 CEST	26706	49711	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:27.475581884 CEST	49711	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:27.475918055 CEST	49711	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:27.482297897 CEST	26706	49711	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:48.837759018 CEST	26706	49711	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:48.837946892 CEST	49711	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:53.843485117 CEST	49711	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:53.844274044 CEST	49713	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:53.991710901 CEST	26706	49711	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:53.991728067 CEST	26706	49713	147.185.221.22	192.168.2.5
Sep 1, 2024 18:16:53.991820097 CEST	49713	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:53.992177010 CEST	49713	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:16:53.997867107 CEST	26706	49713	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:15.357405901 CEST	26706	49713	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:15.357487917 CEST	49713	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:20.373354912 CEST	49713	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:20.374047995 CEST	49714	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:20.382720947 CEST	26706	49713	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:20.383174896 CEST	26706	49714	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:20.383296967 CEST	49714	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:20.383644104 CEST	49714	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:20.389739037 CEST	26706	49714	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:41.796091080 CEST	26706	49714	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:41.796283007 CEST	49714	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:46.810853004 CEST	49714	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:46.811939001 CEST	49715	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:46.815890074 CEST	26706	49714	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:46.817014933 CEST	26706	49715	147.185.221.22	192.168.2.5
Sep 1, 2024 18:17:46.817106962 CEST	49715	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:46.817395926 CEST	49715	26706	192.168.2.5	147.185.221.22
Sep 1, 2024 18:17:46.822520018 CEST	26706	49715	147.185.221.22	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 18:16:00.959286928 CEST	51068	53	192.168.2.5	1.1.1.1
Sep 1, 2024 18:16:00.984272003 CEST	53	51068	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 1, 2024 18:16:00.959286928 CEST	192.168.2.5	1.1.1.1	0x3cd1	Standard query (0)	com-distinct.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 1, 2024 18:16:00.984272003 CEST	1.1.1.1	192.168.2.5	0x3cd1	No error (0)	com-distinct.gl.at.ply.gg		147.185.221.22	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:15:49
Start date:	01/09/2024
Path:	C:\Users\user\Desktop\Stub.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Stub.exe"
Imagebase:	0x7f0000
File size:	61'952 bytes
MD5 hash:	E50E5C919322AD54BD5ED6EEFBA01619
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:15:53
Start date:	01/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:15:53
Start date:	01/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:15:53
Start date:	01/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:15:54
Start date:	01/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:15:54
Start date:	01/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'
Imagebase:	0x80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:15:54
Start date:	01/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0xe90000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:15:55
Start date:	01/09/2024
Path:	C:\Users\user\AppData\Roaming\gang.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gang.exe
Imagebase:	0xbe0000
File size:	61'952 bytes
MD5 hash:	E50E5C919322AD54BD5ED6EEFBA01619
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\gang.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:15:57
Start date:	01/09/2024
Path:	C:\Users\user\AppData\Roaming\gang.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\gang.exe"
Imagebase:	0x700000
File size:	61'952 bytes
MD5 hash:	E50E5C919322AD54BD5ED6EEFBA01619
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.1%
Total number of Nodes:	35
Total number of Limit Nodes:	4

Executed Functions

Function 010807AA Relevance: 1.6, APIs: 1, Instructions: 69
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01082447

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 09ac30e78a3e9052dd748ce073180cc4a17de6cd609c918db9d9903c66102432
Instruction ID: 6dea33a6cc523b3e595badf2593106d3ea179756b753e78da5ed59a83dcd7dbf
Opcode Fuzzy Hash: 09ac30e78a3e9052dd748ce073180cc4a17de6cd609c918db9d9903c66102432
Instruction Fuzzy Hash: 892137B5909388DFCB11DF9AD850ACEBFF4FF49310F10845AE958A7261C374A514CBA5

Function 010878B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01087C4F

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 7155f80bb40a0e7a18cbaaecf87ffe8adcbf40b5c60f51dc2d55dc0221dd1bab
Instruction ID: 92c0d4f2ccbf67c0127280c34e2941901063a0dffe62c9a5869cd1b652328e48
Opcode Fuzzy Hash: 7155f80bb40a0e7a18cbaaecf87ffe8adcbf40b5c60f51dc2d55dc0221dd1bab
Instruction Fuzzy Hash: 222136B18002598FCB10DF9AD484BEEFBF4EF49310F24846AE959A3350D778A944CFA1

Function 010823C0 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01082447

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 8ebf866b06268cc76886f157e02920c92d6eda1cd5b590da272dee1e70e0f752
Instruction ID: a74fc46d9dbca33483d26b40b7350602bf62b9573401392f5e92f7d2ac9e2806
Opcode Fuzzy Hash: 8ebf866b06268cc76886f157e02920c92d6eda1cd5b590da272dee1e70e0f752
Instruction Fuzzy Hash: 4B21DBB5901248DFCB10DF9AD884ADEBBF4FB49310F10842AE958A7210D379A940CFA5

Function 01080774 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01081817

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b935efb3e48d05b684af734a57169ef0a4f838993310def3c956639ecf4ed498
Instruction ID: 18550193044e97ea92721d342b6bf7e513408e1bbbf89ba32418f9192134f705
Opcode Fuzzy Hash: b935efb3e48d05b684af734a57169ef0a4f838993310def3c956639ecf4ed498
Instruction Fuzzy Hash: 6821D0B5900348DFCB10DF9AD884ADEBBF4FF48310F10842AEA58A7210C375A944CFA5

Function 01081792 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01081817

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 3c90773b07bdc268daad7f8095329f025fcf0491dc9751915cca0e64809a4988
Instruction ID: 4ecebfa76b8ed131f3bdbea9f7f03b8c1c7a6bfc4d0b084a4dcf30ad3f4a0199
Opcode Fuzzy Hash: 3c90773b07bdc268daad7f8095329f025fcf0491dc9751915cca0e64809a4988
Instruction Fuzzy Hash: 7521EDB5900248EFCB10DF9AD884ADEFBF4FF48310F10842AE958A7210C379A941CFA1

Function 010807C4 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01082447

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: c2139faa3e926298becb45fce2d4997b8aaddb4838ae07c2478d8a5af653668f
Instruction ID: 234ad85ab0608f34e4b1b6af20e1b50effa0fb7dc928b410431310428b5707ff
Opcode Fuzzy Hash: c2139faa3e926298becb45fce2d4997b8aaddb4838ae07c2478d8a5af653668f
Instruction Fuzzy Hash: 2221DBB5901348DFCB10DF9AD884ADEBBF4FB48310F10842AEA58A7250C379A940CFA5

Function 01081848 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37286cf2a33a7b3359c1a89944a0044c57503e49f7b2d32c781dd2e8f98d3f9d
Instruction ID: e0e88869b35e8f4ae175a3b1f2ff209ae0b1425837f1f47b75da1c2102bd09d8
Opcode Fuzzy Hash: 37286cf2a33a7b3359c1a89944a0044c57503e49f7b2d32c781dd2e8f98d3f9d
Instruction Fuzzy Hash: 54D1AD31B046058FC718EF74C8516AEB7E2FF85304F24896AD49A9B385DB36ED478B81

Function 010869A8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d7a90e11a023e708d14f63ef1ae2cc850f7cb4bc18e877419e95219895001b
Instruction ID: d5f4d88b60ee00aef6331503ee684e9a79fa0b8687a2c7bec7aa5dff516b9ac0
Opcode Fuzzy Hash: e4d7a90e11a023e708d14f63ef1ae2cc850f7cb4bc18e877419e95219895001b
Instruction Fuzzy Hash: EAB17E70E042098FDF50DFA9C8857EDBBF2EF88304F158129D895A7294EB759885CF81

Function 01087278 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939edde44622716e066e599fdb970feabb0c5b032b92a6cbd6ad6a93681dc8b0
Instruction ID: c27f2beadbe5d29b4e5feeb1e357b6990c56015dd121e708d5163758f9e2c255
Opcode Fuzzy Hash: 939edde44622716e066e599fdb970feabb0c5b032b92a6cbd6ad6a93681dc8b0
Instruction Fuzzy Hash: D1B15F70E042098FDF54DFA9D8817EDBFF2AF88314F248529D895E7258EB749841CB92

Function 01082788 Relevance: 1.8, APIs: 1, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4345ee7c701582a200a88f43f93dd4aec496d5dfefb25f80c25b9dad730c407
Instruction ID: 03768239482b1120faaf1b3cc6aedab6ffb4c1c3eb169214d0c92598e0f603b2
Opcode Fuzzy Hash: f4345ee7c701582a200a88f43f93dd4aec496d5dfefb25f80c25b9dad730c407
Instruction Fuzzy Hash: 65B1E16185E3E18FD707ABB898742C67FB4AF17214B1A40E7C4C0DB1A3D668494DC7BA

Function 01087BD0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01087C4F

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3fd58f7fc0212cbfff073654c284625ae30ffb7e2d7ac33b58fbafe432f54e62
Instruction ID: a50cabe1a1b7a123d579e34c193d5d9ef87d10480cf5df0bae087cba8ae86fea
Opcode Fuzzy Hash: 3fd58f7fc0212cbfff073654c284625ae30ffb7e2d7ac33b58fbafe432f54e62
Instruction Fuzzy Hash: 3A2136B18012598FCB14CF9AD484BEEFBF4AF49310F24845EE459A7251C778A944CF61

Function 01082528 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 010825A0

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 1a63c1cbbf23a021ae59241a80660f92383654d5b7f9b608dd377ed741798505
Instruction ID: 377f1a967e3fb0f66e149783fb48aab233c60302cafce5cd800a4e047df9a476
Opcode Fuzzy Hash: 1a63c1cbbf23a021ae59241a80660f92383654d5b7f9b608dd377ed741798505
Instruction Fuzzy Hash: EC1112B5C046599FCB14DF9AD444ADEFBF4FB49320F10816AD859A3240C378A644CFA1

Function 010825CF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 010825A0

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: bd2ffe46d34f13da5e3fe9f53740b9f6eff1d894323f0368932c5bcf34094db5
Instruction ID: 3842f856bc3094e9b5e4da1fb86e52b37160cfd69a192d603d094ab6e5fb4fe2
Opcode Fuzzy Hash: bd2ffe46d34f13da5e3fe9f53740b9f6eff1d894323f0368932c5bcf34094db5
Instruction Fuzzy Hash: 6411E3B58087448FCB11EF89D4683ADBBE0FF09320F20408AD5969B311D3359544CBA1

Function 01082530 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 010825A0

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: bdf1a28c424bf0fe272e85c4158b5ddd4ca82533e6f333beb430fb3e86dfa462
Instruction ID: 1c70d1952375aee88e68296eba40956276c49dd5585416592aad2ac8a9b2606d
Opcode Fuzzy Hash: bdf1a28c424bf0fe272e85c4158b5ddd4ca82533e6f333beb430fb3e86dfa462
Instruction Fuzzy Hash: 171132B1C0065A9FCB14DF9AD444A9EFBF4FF48320F10812AD859B3240C378AA40CFA1

Function 010825F4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01082A3F

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: eb8e5c67725ffd28f32ad83b39c31e886d6e94d2b3787b6c7e5bbef6f71d4fa2
Instruction ID: 9f7564f865af5f4211985e40df3a73d320717ac35f6a29801a1369b776d6498d
Opcode Fuzzy Hash: eb8e5c67725ffd28f32ad83b39c31e886d6e94d2b3787b6c7e5bbef6f71d4fa2
Instruction Fuzzy Hash: B6113AB18047498FDB20DF9AC4457EEFBF8EF48310F108469D558A3251D378A944CFA5

Function 01088698 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01088705

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 090cf511d166630bf0ba4f5f8ae2f2fbba6cb204ab085563a9766cb8262a915a
Instruction ID: 001f9dfe0e4936a45f0ad9428b32686f3bbbda53335e594393b583d127bc2a33
Opcode Fuzzy Hash: 090cf511d166630bf0ba4f5f8ae2f2fbba6cb204ab085563a9766cb8262a915a
Instruction Fuzzy Hash: 001113B59002488FDB20DF9AC484BDEBFF4FB48314F20805AD958A7650C375A940CFA1

Function 010886A0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01088705

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 92db3588fa069d248b47b0bb1cd3a2cb73ad1cc7cb287203697fdeaa19708c73
Instruction ID: 1423ffef30fb899b0d80953f1e40ce845072191cd0e57f7644bf7bd25b471e9b
Opcode Fuzzy Hash: 92db3588fa069d248b47b0bb1cd3a2cb73ad1cc7cb287203697fdeaa19708c73
Instruction Fuzzy Hash: 2D11F2B59006488FDB20EF9AC884BDEBFF4FB48314F208459D558A7250C775A944CFA5

Function 01082A11 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01082A3F

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4d2e92d3d51fd91d0abc4d0582a4ba8465a7c201ef7a3310856ed510b87035bb
Instruction ID: 7291ae04a238c359de8630ec38eea12f643b7c678cbdb21c19d7dea31171c355
Opcode Fuzzy Hash: 4d2e92d3d51fd91d0abc4d0582a4ba8465a7c201ef7a3310856ed510b87035bb
Instruction Fuzzy Hash: 5DF037B19002098FDB20DF99D4447EEFBF4EF48324F24846AD698A3251D778A585CFA1

Non-executed Functions

Function 01086660 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035362406.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_Stub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86cce2cb5bada4c72085ccc0e744e01c70c704f64f03da6d51ef9cb65134edf
Instruction ID: 57ef76dc98794526aab2b48c53d1d492a455176614efa96eda5ffb7e044f51a5
Opcode Fuzzy Hash: c86cce2cb5bada4c72085ccc0e744e01c70c704f64f03da6d51ef9cb65134edf
Instruction Fuzzy Hash: F6916BB0E04209DFDF54EFA8C9917DDBBF2BF88314F158129D499A7294EB359842CB81

Analysis Process: gang.exePID: 7116, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	4

Executed Functions

Function 01220774 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01221817

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0ca6e284c9967fc0dbac7c5ccabfb2e0522d84ba5bd90639153e6b4b3abeaf27
Instruction ID: 7ca08172ed164783044f558c713296db7dfaa0bf8a1cf2515156c5e3897163fe
Opcode Fuzzy Hash: 0ca6e284c9967fc0dbac7c5ccabfb2e0522d84ba5bd90639153e6b4b3abeaf27
Instruction Fuzzy Hash: B521BFB5901359EFCB10DF9AD884ADEFBF5FB48310F10842AEA18A7210D375A954CFA5

Function 012223C0 Relevance: 1.6, APIs: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01222447

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d3a43e4ddce032721543f2ebcc38d5356734219d0216c9d5147a50c0d9f5563b
Instruction ID: 5afa46da8537320a1e81f59dfa81c97180402dc715dba664eac66e84a2d8b5e3
Opcode Fuzzy Hash: d3a43e4ddce032721543f2ebcc38d5356734219d0216c9d5147a50c0d9f5563b
Instruction Fuzzy Hash: 6321DEB5900259EFCB10CF9AD984ADEBBF5FB49310F10842AE918A7250C339A544CFA5

Function 01221791 Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01221817

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f6f344df77e1123f09f87b4767f26409cedf409ed8f73194caedec8f5eb1ed22
Instruction ID: 8d058351422943755566ce5c40013313a89bbee7113c0e5010b72d809faa950f
Opcode Fuzzy Hash: f6f344df77e1123f09f87b4767f26409cedf409ed8f73194caedec8f5eb1ed22
Instruction Fuzzy Hash: 7F21DEB5900359EFCB10CF9AD984ADEBBF5FB48310F10842AE918A7210C375A954CFA1

Function 012223C8 Relevance: 1.6, APIs: 1, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01222447

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 5bc1858a2208a0497b8f74d2b34f47a11e0517e3c8ec977bca2beb6aca8ba373
Instruction ID: e1efa23fcddf525f4dbdda7d1843a701eff3e26f74d9e1f7f3281294d65ede49
Opcode Fuzzy Hash: 5bc1858a2208a0497b8f74d2b34f47a11e0517e3c8ec977bca2beb6aca8ba373
Instruction Fuzzy Hash: B521BFB5901259EFCB10DF9AD884ADEFBF4FB49310F10842AEA18A7210D375A544CFA5

Function 01222780 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595860028e59890703b7943e094f7405afaa161e74bf39e3d70034fd23964f78
Instruction ID: 818b7012b1e624de43b814a1d71e944aed3f36aabde7434f2bf425d1f6dfe21f
Opcode Fuzzy Hash: 595860028e59890703b7943e094f7405afaa161e74bf39e3d70034fd23964f78
Instruction Fuzzy Hash: D791C87281D3E59FD7078B7898642D97FB49F17210F5A40EBC080CF1A3D5AA894AC776

Function 01222965 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01222A3F

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c1538aca0f324a6c8855d1dc0d73bce57d46fc88900ad1bda0c25f48a736922e
Instruction ID: 9a1c8a32ef08a7ddb5d4cf9182ed8ad4518972fc669eecac816d9a68eece7a92
Opcode Fuzzy Hash: c1538aca0f324a6c8855d1dc0d73bce57d46fc88900ad1bda0c25f48a736922e
Instruction Fuzzy Hash: E731CF718093948FCB11CF6DD8847EABFF4EF1A314F14409BD184AB263D6799948CBA5

Function 012278AC Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01227C4F

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3e74cafc6937fad8a59d962494bcd59ac83691d6a9f8699d07b1a8404d1eda4d
Instruction ID: c040650d405940311b21c8c936db4ef717f5c3c194a5fe9a0904fd1b68b8271c
Opcode Fuzzy Hash: 3e74cafc6937fad8a59d962494bcd59ac83691d6a9f8699d07b1a8404d1eda4d
Instruction Fuzzy Hash: 7B2136B18002599FCB10DFAAD484BEEBBF4EF59310F14846AE959B3350D778A944CFA1

Function 01227BD0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01227C4F

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 55836db4f7505785a48554e6528d9b44932b2c248e16743802d5bd75851713fe
Instruction ID: 2a83712c19d21cc6f795155b40b5629c9cbe11acb729a0afac36d77509f62e93
Opcode Fuzzy Hash: 55836db4f7505785a48554e6528d9b44932b2c248e16743802d5bd75851713fe
Instruction Fuzzy Hash: A32178B18012598FCB10CFAAD484BEEFBF4AF48310F14846AE459A7350C738A944CFA0

Function 012225CF Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 012225A0

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 76f36d34d19dcd8745df65722c35d309e95d8dc5ac796926c3f20b676496ee25
Instruction ID: aea693f5f268d208c4d213bb63a10e0688fce1e283ef16d2bdc7f67cf664f0d0
Opcode Fuzzy Hash: 76f36d34d19dcd8745df65722c35d309e95d8dc5ac796926c3f20b676496ee25
Instruction Fuzzy Hash: 3721CCB1814369DFCB15DF69D06429EBFF0AF15320F24808AC105AB262C3799A09CBE1

Function 01222528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 012225A0

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 25cd112947c69c503d0c28e600f5658192528e18d7d9a83c54b6a0bbb462a719
Instruction ID: 5d6ef39261556290a412c37af314b390626b18cc6b96f53c57496fdbd63a10e3
Opcode Fuzzy Hash: 25cd112947c69c503d0c28e600f5658192528e18d7d9a83c54b6a0bbb462a719
Instruction Fuzzy Hash: CB1144B5C1021ADFCB14CF9AD544AEEFBB4FB48310F10811AD919B3240C778A644CFA5

Function 01222530 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 012225A0

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: e42236a6634cc55e13fccf31335b2c4edc78ddf2e5ea67b27b32fae81a9987dc
Instruction ID: 5627a92247c5728f17d396af795778bb8678d2728eb6d2ffddbd08675777697c
Opcode Fuzzy Hash: e42236a6634cc55e13fccf31335b2c4edc78ddf2e5ea67b27b32fae81a9987dc
Instruction Fuzzy Hash: 0E1120B1C0065A9BCB14DF9AD444A9EFBF8FB48320F10812AD919A3240C778AA44CFE5

Function 012225E8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01222A3F

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 205eedee421cb0f437cdaffa65e5fa026f1f5885b8d239b94d4d2a4e77b3fdf0
Instruction ID: e1e014151dfc447a176fd1e1b1d289b25296c6f2ab21ff3820270ec343e3546c
Opcode Fuzzy Hash: 205eedee421cb0f437cdaffa65e5fa026f1f5885b8d239b94d4d2a4e77b3fdf0
Instruction Fuzzy Hash: BF1128B1800259DFDB20DF9AC545BEEFBF8EF48310F208469D918A3251D779A944CFA5

Function 012207CC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01222A3F

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c35033051ed8d8fd0917c67a3ef035a1f1bbb184c935c3d1c87f9746b5dbbb13
Instruction ID: dd63dfcb494362f649aaf1a97bff10cb1518db9a4cb1652c62bca28e9bfe957e
Opcode Fuzzy Hash: c35033051ed8d8fd0917c67a3ef035a1f1bbb184c935c3d1c87f9746b5dbbb13
Instruction Fuzzy Hash: F01158B1800249CFCB10DF9AC445BEEFBF8EB48310F208469D918A3650D378A940CFA5

Function 01228640 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 012286AD

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 2cd0e9d070e57a2c4a9b1086dfd149760fd6edb3f45235b99ecbe00739cae9a5
Instruction ID: 6066c711f3eddee2f39c2f1ca83062925432f756a9435dbd181b13a368800887
Opcode Fuzzy Hash: 2cd0e9d070e57a2c4a9b1086dfd149760fd6edb3f45235b99ecbe00739cae9a5
Instruction Fuzzy Hash: 4A11F5B58106499FDB20DF9AC984ADEBFF8EB48310F208419D518A7250D779A544CFE5

Function 01228648 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 012286AD

Memory Dump Source

Source File: 00000008.00000002.3217280276.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_gang.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: a8efcbd23930a8b2b6757e37faee07df1380d70ea548c7849aeb746e641fe2b5
Instruction ID: eafc6ac6eeae4a91cebd9c553036488cac0a9714915893187bcee97d07f8a6c9
Opcode Fuzzy Hash: a8efcbd23930a8b2b6757e37faee07df1380d70ea548c7849aeb746e641fe2b5
Instruction Fuzzy Hash: 011103B58006499FDB20DF9AC884BDEFFF4EF88310F208419D618A7250C778A944CFA5

Function 011CD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3217057510.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11cd000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88921d08f6622e60ff521349cfb660d673e84e2c05c9ae6719b586705d2a78c6
Instruction ID: 3041de0029fba715487737a27adbaed2e4cac2a67fbad5a82372be06b23e0a33
Opcode Fuzzy Hash: 88921d08f6622e60ff521349cfb660d673e84e2c05c9ae6719b586705d2a78c6
Instruction Fuzzy Hash: 0321E271500244DFDF099F98E9C0B66FF65FBA4720F20C57DDA090A656C33AE416C6E2

Function 011DD0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3217108974.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11dd000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b69a29a83a8cbf86c67e4ec978cfe59d941ac84637411587f9aa9521ebb16b7
Instruction ID: ce7a1611f744d76cdfb06362a269a33f2fca264320bbbc32e80868da1bfb2516
Opcode Fuzzy Hash: 1b69a29a83a8cbf86c67e4ec978cfe59d941ac84637411587f9aa9521ebb16b7
Instruction Fuzzy Hash: 4521F271644204EFDF09DFA8E980B26BBA5FB84314F20C56DD9094B296C33AD406CAA2

Function 011CD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3217057510.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11cd000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: aa8e372027ae8c621d2ab498b2b936e702cc62d7f679ddf462f682a740854c1f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6211CD72404280DFCF06CF44D5C4B56FF62FB94320F24C5A9DA090AA56C33AE45ACBA2

Function 011DD0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3217108974.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11dd000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 0e71d71712355c74520d73bd81c5ce4fcc04043000574553cfead68669e0d356
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7611DD75504280DFDB06CF68E9C4B15FFB2FB84314F24C6A9D8494B296C33AD40ACBA2

Analysis Process: gang.exePID: 5720, Parent PID: 4128COMMON

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	64
Total number of Limit Nodes:	8

Executed Functions

Function 028107C4 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 02811DCF

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 63dfec4a7d6b3e57c9b711cddf00040963bd03b573af9c4c16602e4031b4df87
Instruction ID: c4f1fd5fa36d986b20a2fd683cb3fc87239859682b846c14bb3ae8223cf2eb68
Opcode Fuzzy Hash: 63dfec4a7d6b3e57c9b711cddf00040963bd03b573af9c4c16602e4031b4df87
Instruction Fuzzy Hash: BE21B2B9901249DFCB10DF9AD884ADEBBF4FB49310F108429EA18A7250D375A954CFA5

Function 02810774 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 02811817

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 29a44c4c85db37dbc8d652e3379029150e4b7b77785392bde33946e8efcc758c
Instruction ID: 26f54197834ef58b5e37f21378cb84996cd2fae99d3b8d7b642456f1858faf10
Opcode Fuzzy Hash: 29a44c4c85db37dbc8d652e3379029150e4b7b77785392bde33946e8efcc758c
Instruction Fuzzy Hash: 4021B2B5900349DFCB10DF9AD884ADEFBF8FB49314F10842AEA18A7250D375A954CFA5

Function 02811797 Relevance: 1.6, APIs: 1, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 02811817

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 399b3428738c3e5310909789ce0040ad7927b33901d170b9bad137f73d17572d
Instruction ID: eb0b4c096e394ad35c0764584a84ab5abfd9922d1c86bca9a78a1a1010ce8f25
Opcode Fuzzy Hash: 399b3428738c3e5310909789ce0040ad7927b33901d170b9bad137f73d17572d
Instruction Fuzzy Hash: 3421ABB99012499FCB10CF9AD884ADEBBF4FB49310F10852AE918A7250D379A954CFA1

Function 02811D4F Relevance: 1.6, APIs: 1, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 02811DCF

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e03e8a1a31bdd692fa10125d0edd21332b2836fed8fbcf65bf8b496b92e42b05
Instruction ID: 8627338503cea4a9edde8bafa51e59c4b34e2e34abf7c567100e695691b05b6d
Opcode Fuzzy Hash: e03e8a1a31bdd692fa10125d0edd21332b2836fed8fbcf65bf8b496b92e42b05
Instruction Fuzzy Hash: 8021BFB99012499FCB10CF9AD884ADEBBF4FB49310F10852AE918A7250D375A944CFA1

Function 02812FA0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 02813018

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b773c925ce9396c8d4f0d034ce24411a0c2dc96f7228a52939bb99c21523c06d
Instruction ID: db5c94e332b6d4b2b4a207656ec666985da1af0f307ecfc0b4cef781a54d2c81
Opcode Fuzzy Hash: b773c925ce9396c8d4f0d034ce24411a0c2dc96f7228a52939bb99c21523c06d
Instruction Fuzzy Hash: 8A1134B9C006599BCB14DF9AD545B9EFBF8FF49310F10816AD818B3240D378AA44CFA5

Function 02810804 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 028130B7

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 72c56c98324c29b0921d4b1dcc2f6642447b45163e4f55c64fa9effd9e50b4e8
Instruction ID: b00e2cbdb6b11b94a065820375217643219be236bcbb28ffbc03291bd612b3ef
Opcode Fuzzy Hash: 72c56c98324c29b0921d4b1dcc2f6642447b45163e4f55c64fa9effd9e50b4e8
Instruction Fuzzy Hash: C4113AB5900249CFCB10DF9AC445BEEFBF8EF49314F108469D558A3251D378A944CFA5

Function 02810828 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 028130B7

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a923302aa2cbc4b276568725699d389f30a1732731b664fcf6c8799015e639d2
Instruction ID: d4c86ee5dd12fadfbcf588c9c9853aa8ac05a0e9296a77bb6de2fdc5e29931e0
Opcode Fuzzy Hash: a923302aa2cbc4b276568725699d389f30a1732731b664fcf6c8799015e639d2
Instruction Fuzzy Hash: 621125B5900649CFCB20DF9AC445BEEBBF8EB49324F10846AD518A3291D378A944CFA5

Function 02812FA8 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 02813018

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 98bea84309c900bb24324971a841b5a12776494f409e88890d22f2645f3eb068
Instruction ID: 41e0cb3670143b086bd466b5971ee50680479fe4e86e4a93e7918e516189315c
Opcode Fuzzy Hash: 98bea84309c900bb24324971a841b5a12776494f409e88890d22f2645f3eb068
Instruction Fuzzy Hash: ED1102B9C0065A9BCB14DF9AD544B9EFBF8FF49320F10815AD818B3240D778AA44CFA5

Function 02813050 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 028130B7

Memory Dump Source

Source File: 00000009.00000002.2115738332.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2810000_gang.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8de80d648b539768d021486492834dc062a5a82330f24fd86ac8c624beb46d2d
Instruction ID: 7a0b1772de687c8875deade539b28d3a5500f7c24417e0aaa1a898b6fa6e13ad
Opcode Fuzzy Hash: 8de80d648b539768d021486492834dc062a5a82330f24fd86ac8c624beb46d2d
Instruction Fuzzy Hash: EF1116B58006498FDB10DF9AC445BEEBBF4EF49310F20845AD558A3251D378A544CFA5

Function 00CAD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2113739721.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cad000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e55a4996fea4b3a8e930d64d5a76a2aa6677aa4f5914d1543ea50fe86dc8b6
Instruction ID: 77d2bfe3df698a0950d6e441a707f88cd99f52dce362e86bda838d6043f224c8
Opcode Fuzzy Hash: f8e55a4996fea4b3a8e930d64d5a76a2aa6677aa4f5914d1543ea50fe86dc8b6
Instruction Fuzzy Hash: E52142B1900205DFCB05DF14C9C4F26BFA5FB9932CF248569E90B0B656C33AD946DBA2

Function 00CAD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2113739721.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cad000_gang.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: aef569f34214cde05e57b8599ca5599f153efc9c9dc14797f3ff0fcaebbfc0a8
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A71126B6804340CFCB02CF00D5C4B16BF71FB99318F24C6A9D90A0B656C33AD95ACBA2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Stub.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Stub.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gang.exe.log

C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat

C:\Users\user\AppData\Roaming\gang.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
Stub.exe

Function 010807AA Relevance: 1.6, APIs: 1, Instructions: 69
nativeCOMMON

Function 010878B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 010823C0 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Function 01080774 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Function 01081792 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Function 010807C4 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Function 01082788 Relevance: 1.8, APIs: 1, Instructions: 283
COMMON

Function 01087BD0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 01082528 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 010825CF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 01082530 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON