Edit tour

Windows Analysis Report
0yGDYqDKv5.exe

Overview

General Information

Sample name:	0yGDYqDKv5.exe renamed because original name is a hash value
Original sample name:	25a8358dbb560482b6e59b518702a746.exe
Analysis ID:	1520467
MD5:	25a8358dbb560482b6e59b518702a746
SHA1:	220ec6d3999372e7d06f9df88b0c1953caa3c6e2
SHA256:	97d1edc59b66e32eb0f1f816312fa5d2011f987dfc48c4bc7c07d163fd614db9
Tags:	exeuser-abuse_ch
Infos:

Detection

BlackMoon

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

AI detected suspicious sample

Detected VMProtect packer

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

0yGDYqDKv5.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\0yGDYqDKv5.exe" MD5: 25A8358DBB560482B6E59B518702A746)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 0yGDYqDKv5.exe PID: 5536	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.0yGDYqDKv5.exe.a91197.4.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.a91197.4.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xb0a20:$s1: blackmoon 0xb0a60:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.a91197.4.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.a91197.4.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xb0a20:$s1: blackmoon 0xb0a60:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.a84e2a.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.a84e2a.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xbcd8d:$s1: blackmoon 0xbcdcd:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.a87642.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.a87642.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xba575:$s1: blackmoon 0xba5b5:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.62901a.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.62901a.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xf3de2:$s1: blackmoon 0x28180f:$s1: blackmoon 0xf3e22:$s2: BlackMoon RunTime Error: 0x28184f:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.613a00.6.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.613a00.6.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1093fc:$s1: blackmoon 0x296e29:$s1: blackmoon 0x10943c:$s2: BlackMoon RunTime Error: 0x296e69:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.616eba.5.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.616eba.5.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x105f42:$s1: blackmoon 0x29396f:$s1: blackmoon 0x105f82:$s2: BlackMoon RunTime Error: 0x2939af:$s2: BlackMoon RunTime Error:
0.2.0yGDYqDKv5.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.0yGDYqDKv5.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x31c332:$s1: blackmoon 0x4a9d5f:$s1: blackmoon 0x7410ed:$s1: blackmoon 0x31c372:$s2: BlackMoon RunTime Error: 0x4a9d9f:$s2: BlackMoon RunTime Error: 0x74112d:$s2: BlackMoon RunTime Error:
Click to see the 11 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0yGDYqDKv5.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 0yGDYqDKv5.exe

Joe Sandbox ML: detected

Source: 0yGDYqDKv5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: \Kdmapper-Bypass360-main\kdmapper-master\x64\Release\kdmapper.pdb/ source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Kernel_project\kdmapper\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Documents\Desktop\kdmapper-master\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD19.pdb55 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD19.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Documents\Desktop\kdmapper-master\x64\Release\kdmapper.pdb11 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Kernel_project\kdmapper\x64\Release\kdmapper.pdb- source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\C++\hacking\cod_driver\x64\Release\kdmapper_driver.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Labs\Shark-master\Build\Bins\AMD64\Shark.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \Kdmapper-Bypass360-main\kdmapper-master\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD20.pdb55 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\willwon\source\repos\mutante3\mutante\build\bin\mutante.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Windows\Start.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: e:\work\dangerzone\flashdriverwin32\Release\i386\amifldrv32.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD20.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: e:\work\dangerzone\flashdriverwin64\Release\amd64\amifldrv64.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp

Source: global traffic

HTTP traffic detected: GET /BOT2/Var HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 154.12.36.162Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.36.162

Source: global traffic

HTTP traffic detected: GET /BOT2/Var HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 154.12.36.162Cache-Control: no-cache

Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3296531490.000000000198E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.239.244.218:8898/
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://103.239.244.218:8898/600006030021.00
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://154.12.36.162/BOT2/LDvar.exe
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3296531490.000000000198E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.12.36.162/BOT2/Var
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt0?
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crls.pki.jemmylovejenny.tk/EVRootCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crls.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crls.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.pki.jemmylovejenny.tk/EVRootCA0=
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA0O
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA0O
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000B44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/cadsondemak/kanit)
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pki.jemmylovejenny.tk/cps0/
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pki.jemmylovejenny.tk/rpa0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://www.katatrad.comhttps://cadsondemak.comKatatrad
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.thawte.com/repository0

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.a91197.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.a91197.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.a84e2a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.a87642.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.62901a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.613a00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.616eba.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yGDYqDKv5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0yGDYqDKv5.exe PID: 5536, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.0yGDYqDKv5.exe.a91197.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.a91197.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.a84e2a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.a87642.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.62901a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.613a00.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.616eba.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.0yGDYqDKv5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Detected VMProtect packer

Source: 0yGDYqDKv5.exe

Static PE information: .vmp0 and .vmp1 section names

Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs 0yGDYqDKv5.exe
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameShark.sys, vs 0yGDYqDKv5.exe
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs 0yGDYqDKv5.exe

Source: 0yGDYqDKv5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.0yGDYqDKv5.exe.a91197.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.a91197.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.a84e2a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.a87642.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.62901a.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.613a00.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.616eba.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.0yGDYqDKv5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: classification engine

Classification label: mal88.rans.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0yGDYqDKv5.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 0yGDYqDKv5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0yGDYqDKv5.exe

Static file information: File size 8818688 > 1048576

Source: 0yGDYqDKv5.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x866000

Source:	Binary string: \Kdmapper-Bypass360-main\kdmapper-master\x64\Release\kdmapper.pdb/ source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Kernel_project\kdmapper\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Documents\Desktop\kdmapper-master\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD19.pdb55 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD19.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Documents\Desktop\kdmapper-master\x64\Release\kdmapper.pdb11 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Kernel_project\kdmapper\x64\Release\kdmapper.pdb- source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\C++\hacking\cod_driver\x64\Release\kdmapper_driver.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Labs\Shark-master\Build\Bins\AMD64\Shark.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \Kdmapper-Bypass360-main\kdmapper-master\x64\Release\kdmapper.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD20.pdb55 source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\willwon\source\repos\mutante3\mutante\build\bin\mutante.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Windows\Start.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: e:\work\dangerzone\flashdriverwin32\Release\i386\amifldrv32.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UI\x64\Release\COD20.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: e:\work\dangerzone\flashdriverwin64\Release\amd64\amifldrv64.pdb source: 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: 0yGDYqDKv5.exe	Static PE information: section name: .vmp0
Source: 0yGDYqDKv5.exe	Static PE information: section name: .vmp1

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 35B0005 value: E9 2B BA 90 73	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 76EBBA30 value: E9 DA 45 6F 8C	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 36C0008 value: E9 8B 8E 84 73	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 76F08E90 value: E9 80 71 7B 8C	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 36D0005 value: E9 8B 4D 3A 72	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 75A74D90 value: E9 7A B2 C5 8D	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 36F0005 value: E9 EB EB 39 72	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 75A8EBF0 value: E9 1A 14 C6 8D	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 3700005 value: E9 8B 8A 75 72	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 75E58A90 value: E9 7A 75 8A 8D	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 3710005 value: E9 2B 02 77 72	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 75E80230 value: E9 DA FD 88 8D	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 3720005 value: E9 8B 2F 7D 73	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Memory written: PID: 5536 base: 76EF2F90 value: E9 7A D0 82 8C	Jump to behavior

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0yGDYqDKv5.exe, 00000000.00000002.3295843603.0000000000C07000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: 4SBIEDLL.DLL
Source: 0yGDYqDKv5.exe, 00000000.00000002.3295843603.0000000000C07000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: 4SBIEDLL.DLL=

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	RDTSC instruction interceptor: First address: 13844C5 second address: 13844D7 instructions: 0x00000000 rdtsc 0x00000002 xor cl, FFFFFFA0h 0x00000005 stc 0x00000006 rol cl, 1 0x00000008 or al, 5Ch 0x0000000a neg ah 0x0000000c rol dx, FF80h 0x00000010 xor bl, cl 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	RDTSC instruction interceptor: First address: C9DBF7 second address: C9DC09 instructions: 0x00000000 rdtsc 0x00000002 xor cl, FFFFFFA0h 0x00000005 stc 0x00000006 rol cl, 1 0x00000008 or al, 5Ch 0x0000000a neg ah 0x0000000c rol dx, FF80h 0x00000010 xor bl, cl 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0yGDYqDKv5.exe	RDTSC instruction interceptor: First address: CA5EB8 second address: CA5EBB instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 0yGDYqDKv5.exe, 00000000.00000002.3296531490.00000000019FB000.00000004.00000020.00020000.00000000.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3296531490.000000000198E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\0yGDYqDKv5.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 Credential API Hooking	21 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0yGDYqDKv5.exe	50%	ReversingLabs	Win32.Trojan.Generic
0yGDYqDKv5.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://154.12.36.162/BOT2/Var	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://154.12.36.162/BOT2/LDvar.exe	0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://cacerts.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA.crt0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://scripts.sil.org/OFLThis	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://www.eyuyan.com)DVarFileInfo$	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000B44000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://pki.jemmylovejenny.tk/rpa0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://scripts.sil.org/OFLhttps://www.katatrad.comhttps://cadsondemak.comKatatrad	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://ocsp.thawte.com0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://crls.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA.crl0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://cacerts.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crt0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://ocsp.pki.jemmylovejenny.tk/EVRootCA0=	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://pki.jemmylovejenny.tk/cps0/	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://www.thawte.com/repository0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt0?	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://ocsp.pki.jemmylovejenny.tk/SHA2TimeStampingServicesCA0O	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://103.239.244.218:8898/600006030021.00	0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://ocsp.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA0O	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://crls.pki.jemmylovejenny.tk/EVRootCA.crl0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/cadsondemak/kanit)	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://103.239.244.218:8898/	0yGDYqDKv5.exe, 00000000.00000002.3295192113.000000000050A000.00000002.00000001.01000000.00000003.sdmp, 0yGDYqDKv5.exe, 00000000.00000002.3296531490.000000000198E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crls.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crl0	0yGDYqDKv5.exe, 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.12.36.162	unknown	United States		54133	UNMETEREDCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520467
Start date and time:	2024-09-27 11:30:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0yGDYqDKv5.exe renamed because original name is a hash value
Original Sample Name:	25a8358dbb560482b6e59b518702a746.exe
Detection:	MAL
Classification:	mal88.rans.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 0yGDYqDKv5.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.12.36.162	SecuriteInfo.com.W32.GenKryptik.DLII.tr.897.20988.exe	Get hash	malicious	BlackMoon	Browse	154.12.36.162/BOT/Var
154.12.36.162	SecuriteInfo.com.Variant.Strictor.290402.14971.7159.exe	Get hash	malicious	BlackMoon	Browse	154.12.36.162/ZZ/Var

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNMETEREDCA	SecuriteInfo.com.W32.GenKryptik.DLII.tr.897.20988.exe	Get hash	malicious	BlackMoon	Browse	154.12.36.162
	SecuriteInfo.com.Variant.Strictor.290402.14971.7159.exe	Get hash	malicious	BlackMoon	Browse	154.12.36.162
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (369).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	ExeFile (160).exe	Get hash	malicious	Emotet	Browse	38.88.126.202
	185.196.11.135-arm-2024-08-06T18_49_53.elf	Get hash	malicious	Mirai	Browse	38.147.202.219

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.979434142838091
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0yGDYqDKv5.exe
File size:	8'818'688 bytes
MD5:	25a8358dbb560482b6e59b518702a746
SHA1:	220ec6d3999372e7d06f9df88b0c1953caa3c6e2
SHA256:	97d1edc59b66e32eb0f1f816312fa5d2011f987dfc48c4bc7c07d163fd614db9
SHA512:	d9573907c31efc7b536a8d77595e22d3a1a38bbf40d3c6bbc1f146f8d9311f2984fcc9102d745b82e00aa1af4c40958dd29b2f5b43d173c896218ea595bd86ea
SSDEEP:	196608:r3IVeodRuG3wPtEd1adiz+Mte7Qd/r36/rpCCWlM:LIo2RNAP67ei6MuQFopCJ
TLSH:	BB96337317665082D5E0C83AC62BBDD432FA43AF4B8278B565FBACC52126DE0E613D53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X%.f.................P....p..............`....@...........................@............................................

File Icon


Icon Hash:	1371579633311392

Static PE Info

General

Entrypoint:	0x144c4e3
Entrypoint Section:	.vmp1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x66EC2558 [Thu Sep 19 13:21:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2cbb343f31943476e7ffd3952e3d673c

Entrypoint Preview

Instruction
push 80BF15DCh
call 00007F6E0518E47Dh
jmp 00007F6E0568043Ch
inc eax
stc
rol eax, 1
xor eax, 3F903741h
xor ebx, eax
stc
add edi, eax
jmp 00007F6E0518FA4Ah
dec ecx
stc
not ecx
xor ebx, ecx
cmc
cmp esp, eax
add ebp, ecx
jmp 00007F6E05180C84h
dec ecx
test ah, 00000020h
xor ebx, ecx
cmc
test ebx, edi
add edi, ecx
jmp 00007F6E056736D8h
inc ecx
xor ebx, 332C2CCAh
jmp 00007F6E05156383h
bswap eax
jmp 00007F6E04E625BFh
dec eax
clc
rol eax, 02h
xor ebx, eax
cmp si, di
test ebx, 6BD94035h
add ebp, eax
jmp 00007F6E052CC325h
jl 00007F6E052D0C56h
loopne 00007F6E052D0CA7h
inc ebp
call 00007F6E3781399Bh
int3
inc ch
sub ebp, dword ptr [edx+15ABE17Eh]
adc byte ptr [edx+ebx+54h], bh
out dx, al
aad 00h
push cs
aad 9Ah
xlatb
in eax, dx
and eax, 935F522Bh
fldcw word ptr [edx-2A6CD3C7h]
push esp
mov dl, F9h
pop edi
bound ebp, dword ptr [ebx-17E8C29Fh]
sub al, byte ptr [edi]
into
push ds
fild qword ptr [edx]
jnp 00007F6E052D0C74h
in al, 18h
cld
mov ah, 26h
sbb al, B6h
mov seg?, word ptr [ebx+706FBDE5h]
adc al, CEh
pop edx
dec edi
push ds
lodsd
dec ebx
loop 00007F6E052D0C0Dh
call 00007F6DCCC63859h
imul esp, eax, A6h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf51e1c	0x1cc	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x140a000	0x1885	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xfa0000	0xe4	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104536	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x106000	0x674428	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x77b000	0x8b4ca	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp0	0x807000	0x39c033	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1	0xba4000	0x865b20	0x866000	f739bb2e89561ee5aef644383c9a7167	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x140a000	0x1885	0x2000	7c6d00d2ac06dd53ca35696cbb5dafa4	False	0.45751953125	data	4.959444021608528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x140a1c4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x140a4ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x140a5d4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.6852720450281425
RT_GROUP_ICON	0x140b67c	0x14	data			1.2
RT_GROUP_ICON	0x140b690	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x140b6a4	0x14	data	Chinese	China	1.25
RT_MANIFEST	0x140b6b8	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
iphlpapi.dll	GetAdaptersInfo
WINMM.dll	waveOutUnprepareHeader
WS2_32.dll	inet_ntoa
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamInfoA
RASAPI32.dll	RasGetConnectStatusA
KERNEL32.dll	GetVersion, GetVersionExA
USER32.dll	GetSysColorBrush
GDI32.dll	GetPolyFillMode
WINSPOOL.DRV	ClosePrinter
comdlg32.dll	GetFileTitleA
ADVAPI32.dll	RegCreateKeyExA
SHELL32.dll	ShellExecuteA
ole32.dll	CLSIDFromProgID
OLEAUT32.dll	VariantClear
COMCTL32.dll	ImageList_Destroy
WININET.dll	HttpQueryInfoA
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:31:05.121102095 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:31:05.125909090 CEST	80	49704	154.12.36.162	192.168.2.5
Sep 27, 2024 11:31:05.126019001 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:31:05.126126051 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:31:05.130911112 CEST	80	49704	154.12.36.162	192.168.2.5
Sep 27, 2024 11:31:05.733006001 CEST	80	49704	154.12.36.162	192.168.2.5
Sep 27, 2024 11:31:05.733135939 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:32:05.732645988 CEST	80	49704	154.12.36.162	192.168.2.5
Sep 27, 2024 11:32:05.732712030 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:32:54.926493883 CEST	49704	80	192.168.2.5	154.12.36.162
Sep 27, 2024 11:32:54.931400061 CEST	80	49704	154.12.36.162	192.168.2.5

HTTP Request Dependency Graph

154.12.36.162

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	154.12.36.162	80	5536	C:\Users\user\Desktop\0yGDYqDKv5.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 11:31:05.126126051 CEST	149	OUT	GET /BOT2/Var HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 154.12.36.162 Cache-Control: no-cache
Sep 27, 2024 11:31:05.733006001 CEST	244	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Sep 2024 09:31:05 GMT Content-Type: application/octet-stream Content-Length: 2 Last-Modified: Thu, 19 Sep 2024 13:28:12 GMT Connection: keep-alive ETag: "66ec26ec-2" Accept-Ranges: bytes Data Raw: 31 31 Data Ascii: 11

Target ID:	0
Start time:	05:31:01
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\0yGDYqDKv5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0yGDYqDKv5.exe"
Imagebase:	0x400000
File size:	8'818'688 bytes
MD5 hash:	25A8358DBB560482B6E59B518702A746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.3295192113.0000000000A7D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.3295192113.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0yGDYqDKv5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 0yGDYqDKv5.exePID: 5536, Parent PID: 1028

General

Windows Analysis Report
0yGDYqDKv5.exe