Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1521012
MD5:	f6c330bf80269e6a2ce60b6c173ede5e
SHA1:	3a1ee94b51b65b73ae8694d407feae213cdfa0a3
SHA256:	dd41646c21ed512b30eaad50eca6e74a45ecd7c6c7bf9d1c6aa804c2ea845428
Tags:	exeuser-4k95m
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: F6C330BF80269E6A2CE60B6C173EDE5E)

conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 6408	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T03:03:04.022076+0200	2049060	1	A Network Trojan was detected	192.168.2.7	49700	193.233.132.253	50600	TCP

ET MALWARE [ANY.RUN] RisePro TCP (Activity)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T03:03:07.019564+0200	2046269	1	A Network Trojan was detected	192.168.2.7	49700	193.233.132.253	50600	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: setup.exe	ReversingLabs: Detection: 63%
Source: setup.exe	Virustotal: Detection: 73%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000003.00000002.3721877835.00000000015F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000003.00000002.3721877835.00000000015F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\7jdz0h\obj\Release\Company.pdb source: setup.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.7:49700 -> 193.233.132.253:50600
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.7:49700 -> 193.233.132.253:50600

Source: global traffic

TCP traffic: 192.168.2.7:49700 -> 193.233.132.253:50600

Source: Joe Sandbox View	IP Address: 193.233.132.253 193.233.132.253
Source: Joe Sandbox View	IP Address: 193.233.132.253 193.233.132.253

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004680A0 recv,

3_2_004680A0

Source: RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RegAsm.exe, 00000003.00000002.3721877835.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00A20B80	0_2_00A20B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005EF006	3_2_005EF006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0057900A	3_2_0057900A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0054F0FB	3_2_0054F0FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0055014F	3_2_0055014F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0054D12C	3_2_0054D12C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005701F5	3_2_005701F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004E925D	3_2_004E925D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00487270	3_2_00487270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005E2349	3_2_005E2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004E03D0	3_2_004E03D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005DC3B1	3_2_005DC3B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402400	3_2_00402400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005AF4AC	3_2_005AF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00553508	3_2_00553508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004E959F	3_2_004E959F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00548676	3_2_00548676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402600	3_2_00402600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00583614	3_2_00583614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00563608	3_2_00563608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0056D85D	3_2_0056D85D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005DB831	3_2_005DB831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005639D3	3_2_005639D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005EFAD2	3_2_005EFAD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004E5B90	3_2_004E5B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418BB0	3_2_00418BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005BDC4C	3_2_005BDC4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005D7D09	3_2_005D7D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005D4E2F	3_2_005D4E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_005E8EF4	3_2_005E8EF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00483EF0	3_2_00483EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0059AEB8	3_2_0059AEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00550FB6	3_2_00550FB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0057DFBA	3_2_0057DFBA

Source: setup.exe, 00000000.00000002.1256634562.00000000008C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs setup.exe
Source: setup.exe, 00000000.00000000.1252913238.00000000002BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCompany.exeJ vs setup.exe
Source: setup.exe	Binary or memory string: OriginalFilenameCompany.exeJ vs setup.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@0/1

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\adobe9Ly9nVMaTKYM

Jump to behavior

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: setup.exe	ReversingLabs: Detection: 63%
Source: setup.exe	Virustotal: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: devobj.dll	Jump to behavior

Source: setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: setup.exe

Static file information: File size 2265088 > 1048576

Source: setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x228600

Source: setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000003.00000002.3721877835.00000000015F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000003.00000002.3721877835.00000000015F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\7jdz0h\obj\Release\Company.pdb source: setup.exe

Source: setup.exe

Static PE information: 0x9484A554 [Wed Dec 16 08:44:04 2048 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418BB0 LoadLibraryA,GetProcAddress,

3_2_00418BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004DD189 push ecx; ret

3_2_004DD19C

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Stalling execution: Execution stalls by calling Sleep

graph_3-23553

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 703BA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 65B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 5FD48D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 61633D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 742DBD

Source: C:\Users\user\Desktop\setup.exe	Memory allocated: A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 4650000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0054C04A rdtsc

3_2_0054C04A

Source: C:\Users\user\Desktop\setup.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3163			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 5349			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-23558

Source: C:\Users\user\Desktop\setup.exe TID: 6752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6396	Thread sleep count: 3163 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6396	Thread sleep time: -319463s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7224	Thread sleep count: 350 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6396	Thread sleep count: 5349 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6396	Thread sleep time: -540249s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3721877835.0000000001609000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RegAsm.exe, 00000003.00000002.3721877835.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, 00000003.00000002.3721877835.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, 00000003.00000002.3721877835.0000000001609000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0054C04A rdtsc

3_2_0054C04A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418BB0 LoadLibraryA,GetProcAddress,

3_2_00418BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004146B0 mov eax, dword ptr fs:[00000030h]

3_2_004146B0

Source: C:\Users\user\Desktop\setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_02652411 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_02652411

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 515000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 540000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 545000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5F6000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5F7000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 81B000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1091008	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Users\user\Desktop\setup.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6408, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6408, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	112 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
setup.exe	74%	Virustotal		Browse
setup.exe	100%	Avira	TR/AD.Nekark.amdkl
setup.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
http://www.winimage.com/zLibDll	1%	Virustotal	Browse
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal	Browse
http://www.winimage.com/zLibDllDpRTpR	1%	Virustotal	Browse
https://t.me/RiseProSUPPORT	0%	Virustotal	Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.winimage.com/zLibDll	RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://t.me/RiseProSUPPORT	RegAsm.exe, 00000003.00000002.3721877835.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.winimage.com/zLibDllDpRTpR	RegAsm.exe, 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.253	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521012
Start date and time:	2024-09-28 03:02:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
22:12:27	API Interceptor	1253233x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.253	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.253/retailerTest.exe
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	193.233.132.253/lumma2804.exe
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	193.233.132.253/lumma2804.exe
	2q45IEa3Ee.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	193.233.132.253/lumma1504.exe
	TANQUIVUIA.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	193.233.132.253/lumma1504.exe
	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	193.233.132.253/lumma1104.exe
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	193.233.132.253/lumma1104.exe
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.253/lumma1104.exe
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.253/lumma1104.exe
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.253/lumma1104.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	147.45.44.104
	https://steamcommninty.com/activates/gifts	Get hash	malicious	Unknown	Browse	147.45.47.40
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse	147.45.60.44
	SolaraV3.exe	Get hash	malicious	RedLine	Browse	147.45.47.192
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999653481278875
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	setup.exe
File size:	2'265'088 bytes
MD5:	f6c330bf80269e6a2ce60b6c173ede5e
SHA1:	3a1ee94b51b65b73ae8694d407feae213cdfa0a3
SHA256:	dd41646c21ed512b30eaad50eca6e74a45ecd7c6c7bf9d1c6aa804c2ea845428
SHA512:	9ff5152bbbf71574dd1abf4a7a05b4884e7f2d1c5bb7d7e1e1ff0e467aaa83221a04cbb47257ea4394d637b01f5f59d0938af6ae4699069f8fe49ca1afa88e43
SSDEEP:	49152:q1kvIsRS6E2Z7ZkgbGrs1qi+ldn5Yp4cCA5XSVRrnzUM1vSxt3W:ekZRBpBGrN+p4DAgjQMpC
TLSH:	65A533A9D04D8FB8C3CB62B185A5610792F1F2E75BB663350709702AAFCD131B8C5FA5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............."...0..."..........2... ...."...@.. ........................#...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4032e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9484A554 [Wed Dec 16 08:44:04 2048 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
out 44h, eax
loope 00007F6BF06EFAC9h
loope 00007F6BF06EFAA1h
xchg eax, edi
inc eax
pop esi
stosb
out 4Fh, al
fbld [esi]
jp 00007F6BF06EF9F0h
and al, ch
adc byte ptr [esi], bl
retf
sbb eax, 31F6954Dh
dec esi
cmp eax, 2AA61047h
jecxz 00007F6BF06EFA62h
sub eax, EB91F13Ch
salc
fcomp qword ptr [ecx+24h]
lea ebp, dword ptr [ecx]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3292	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22c000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3220	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2285b0	0x228600	1a54088697eb86bcad73b6071a739505	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22c000	0x5dc	0x600	928dd8bd0a422e6d709f17b14d4203bf	False	0.4381510416666667	data	4.164718679002896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22e000	0xc	0x200	41ef9bd02060e3a45c1522f573b6e54d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x22c090	0x34c	data			0.44075829383886256
RT_MANIFEST	0x22c3ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-28T03:03:04.022076+0200	2049060	ET MALWARE RisePro TCP Heartbeat Packet	1	192.168.2.7	49700	193.233.132.253	50600	TCP
2024-09-28T03:03:07.019564+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.7	49700	193.233.132.253	50600	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 03:03:04.012008905 CEST	49700	50600	192.168.2.7	193.233.132.253
Sep 28, 2024 03:03:04.017039061 CEST	50600	49700	193.233.132.253	192.168.2.7
Sep 28, 2024 03:03:04.018250942 CEST	49700	50600	192.168.2.7	193.233.132.253
Sep 28, 2024 03:03:04.022075891 CEST	49700	50600	192.168.2.7	193.233.132.253
Sep 28, 2024 03:03:04.026925087 CEST	50600	49700	193.233.132.253	192.168.2.7
Sep 28, 2024 03:03:07.019563913 CEST	49700	50600	192.168.2.7	193.233.132.253
Sep 28, 2024 03:03:07.025701046 CEST	50600	49700	193.233.132.253	192.168.2.7
Sep 28, 2024 03:03:25.370343924 CEST	50600	49700	193.233.132.253	192.168.2.7
Sep 28, 2024 03:03:25.370445013 CEST	49700	50600	192.168.2.7	193.233.132.253

Target ID:	0
Start time:	21:03:00
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x90000
File size:	2'265'088 bytes
MD5 hash:	F6C330BF80269E6A2CE60B6C173EDE5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:03:00
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	21:03:00
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xee0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	41.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.6%
Total number of Nodes:	56
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02652411 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02652580
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02652593
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 026525B1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 026525D5
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02652600
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02652658
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 026526A3
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 026526E1
Wow64SetThreadContext.KERNEL32(?,?), ref: 0265271D
ResumeThread.KERNELBASE(?), ref: 0265272C

Strings

Load, xrefs: 0265244F
GetP, xrefs: 02652493
ress, xrefs: 0265249B
aryA, xrefs: 02652457

Memory Dump Source

Source File: 00000000.00000002.1257121516.0000000002652000.00000040.00000800.00020000.00000000.sdmp, Offset: 02652000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2652000_setup.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 315ca02eda9149f674e6756808a9327192885b50a9684e3022b1a938fcfb7f4a
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 21B1D47664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 00A20B80 Relevance: 1.9, APIs: 1, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a818b48fbc3d01a00334b41fe0a2badd19ce856897a5f9d302cf07555d055622
Instruction ID: a2bc05ea12fb12211f4ef7cace913a721b902a17218a6677a12da6793ee53779
Opcode Fuzzy Hash: a818b48fbc3d01a00334b41fe0a2badd19ce856897a5f9d302cf07555d055622
Instruction Fuzzy Hash: 96028D319042958FCB05CFADC480AEDFFF2AF59310B59C5A5D499EB262C734E981CBA4

Function 00A204C7 Relevance: 1.6, APIs: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03653584,?,?,?), ref: 00A210A9

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c8ea1f2335f5f9c5f1b1e1aa67f6a520d55e0785f5e4126c135cfec160483914
Instruction ID: 89fc2602c12669c17c35f55fafeddef18bb1829adcec95e2d54a1022ea7e8d53
Opcode Fuzzy Hash: c8ea1f2335f5f9c5f1b1e1aa67f6a520d55e0785f5e4126c135cfec160483914
Instruction Fuzzy Hash: 7E318772C052999FCB10DFA9D884BCEFFB4FF19310F14816AE448A7212D3B49904CBA1

Function 00A20538 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 00A21191

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3f0e4ebcd35f5d43d5fbb81f0f7d0112afd94e8c3da8a154f386d909de8addc6
Instruction ID: 6de0a87ed39af59a22cc323a004b491ee25ce6a021a786c90356cd6000a0536e
Opcode Fuzzy Hash: 3f0e4ebcd35f5d43d5fbb81f0f7d0112afd94e8c3da8a154f386d909de8addc6
Instruction Fuzzy Hash: BE21D0B59012499FCB10CF9AD984ADEBBF5FB48310F20852AE918A7340D775A954CBA4

Function 00A210F0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 00A21191

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0a6cc5b982f9889e56c3abec84721094890328cc44c97cf19e148dc23c306535
Instruction ID: 0114e2f5b8803d04b5e6ee586b8c9a1e76c3a871ee04a88e0f146f50a08b5028
Opcode Fuzzy Hash: 0a6cc5b982f9889e56c3abec84721094890328cc44c97cf19e148dc23c306535
Instruction Fuzzy Hash: F021F3B5D012499FCB10CFA9D984ADEBBF1FB48310F10852EE919A7350D375A914CFA0

Function 00A2052C Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03653584,?,?,?), ref: 00A210A9

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6473414bb45ea810bfba7b8a2557aeb4f869eed28c2d25a2377190819d7e804f
Instruction ID: 108a6f38777282f743274065f150ae9ec579a0e19064faecc1794e4f5a7540da
Opcode Fuzzy Hash: 6473414bb45ea810bfba7b8a2557aeb4f869eed28c2d25a2377190819d7e804f
Instruction Fuzzy Hash: E2211571D01259AFCB10DF9AD884BDEFBB5FB48310F10812AE918A3240D374A954CBA5

Function 00A20514 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00A20AAC

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: dfd470fd9e6b03cf83442a1af3baee326d47fb891941eba88124ba38af3b7354
Instruction ID: 8196b473b006dca94cb7719ec485c99b7b166a0ccc62ebc2a3f0b9b4aee58f2e
Opcode Fuzzy Hash: dfd470fd9e6b03cf83442a1af3baee326d47fb891941eba88124ba38af3b7354
Instruction Fuzzy Hash: 291122B5D003498FCB20DF9AD445B9EBBF4EB48320F208429D959A7341D774A944CFA0

Function 00A20A49 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00A20AAC

Memory Dump Source

Source File: 00000000.00000002.1256864478.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_setup.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 1021b7bba4e8d9afb02800ed6d92986c55bc837307333d51872573fe19ff0f40
Instruction ID: 74d7498d592db5025eddd3868f9893307cfc85c48b859aa1bb3c79e34be39224
Opcode Fuzzy Hash: 1021b7bba4e8d9afb02800ed6d92986c55bc837307333d51872573fe19ff0f40
Instruction Fuzzy Hash: 5C1132748043498FDB20DFA9C444BDEBBF0AB48310F24845AC459A7251C374A845CFA0

Analysis Process: RegAsm.exePID: 6408, Parent PID: 5608COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	109
Total number of Limit Nodes:	10

Executed Functions

Function 004680A0 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d81178ab646820a6eb893515159c8322c390487e491d838ec1b7ab484b2027c
Instruction ID: ecfb405bbff1ea3e4979a418a500bc296bc6e7c43d59ad8d68ecad1a3c3bf1c0
Opcode Fuzzy Hash: 8d81178ab646820a6eb893515159c8322c390487e491d838ec1b7ab484b2027c
Instruction Fuzzy Hash: F741F631A00108AFC715DF69DC905AEBBA5FF45364F10822FF855DB341DB34AA51CB95

Function 0041E220 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 395
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,00000004,00000002), ref: 0041E2CD
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 0041E34F
recv.WS2_32(00000000,0000000C,00000008), ref: 0041E370
recv.WS2_32(00000000,?,00000008), ref: 0041E427
recv.WS2_32(?,00000004,00000008), ref: 0041E52F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E544
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000,?,?,00000344,0000FFFF,00001006,?,00000008), ref: 0041E5BD
Sleep.KERNELBASE(00000064,?,00002710,00000000,?,?,00000344,0000FFFF,00001006,?,00000008), ref: 0041E5C5
std::_Throw_Cpp_error.LIBCPMT ref: 0041E739
std::_Throw_Cpp_error.LIBCPMT ref: 0041E74A
Sleep.KERNEL32(00000065), ref: 0041E7C7

Strings

m, xrefs: 0041E63F
CT, xrefs: 0041E6C5

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: recv$Sleep$Cpp_errorThrow_std::_$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: m$CT
API String ID: 4033404942-2121359313
Opcode ID: 4aec3fae07ce63c4b3971c8331474f49506cbd7e9bf7179fe5ad1251c5c1f826
Instruction ID: 541cfadfa3b6dac143fff9bdd5be9d1be2ec44792db14051d089f580e14847da
Opcode Fuzzy Hash: 4aec3fae07ce63c4b3971c8331474f49506cbd7e9bf7179fe5ad1251c5c1f826
Instruction Fuzzy Hash: 19F1E074D00248EBDB10DFA5CC49BEEBBB5FF51708F20425AE4106B2D2D7B85A89DB85

Function 00402F50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00402F9F

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 41d4b623479a6b4a9dc53cb52b2ab75701e8e7a8ddb80481ea63bf669c97ac75
Instruction ID: 922f6ea32f6fac839a196189dfb9ef5f71be3718e8211864cdecdc298bb8bebd
Opcode Fuzzy Hash: 41d4b623479a6b4a9dc53cb52b2ab75701e8e7a8ddb80481ea63bf669c97ac75
Instruction Fuzzy Hash: 6AF0F0725401028BCB286F65D9098EAB3B8EE143A6310047FF88CD36D2E77ED840A784

Function 004EB74C Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,004EB886,00000000,00000000,00000000), ref: 004EB795

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08b95fc51899ad17043f6fa96d22d5f18ad8bd770bb164b188ee89b447ad829d
Instruction ID: 69105f86bb4839127914ce14ce2a333d9bcd1989a38b53b75fdce134867bb829
Opcode Fuzzy Hash: 08b95fc51899ad17043f6fa96d22d5f18ad8bd770bb164b188ee89b447ad829d
Instruction Fuzzy Hash: F7010836210199AFDB058F5ACC45CAF3F29DFC5365B240249FC109B2A0E775EE529BD4

Non-executed Functions

Function 00418BB0 Relevance: 24.6, Strings: 18, Instructions: 2076COMMON

Download Yara Rule

Strings

@O][nV\YT_YK, xrefs: 00419201, 0041920E
%s|%s, xrefs: 00418DF9
IABQX\, xrefs: 00419764, 0041976B
., xrefs: 00419794
IABQX\, xrefs: 00419C72, 00419C79
RL[3, xrefs: 00419136
IABQX\, xrefs: 00419732, 00419739
:, xrefs: 00418CF0
@ET, xrefs: 00418F1B
OG, xrefs: 00419189
4, xrefs: 0041A8B0
,, xrefs: 0041932C
., xrefs: 00419CD4
@ET, xrefs: 00418F70
@O][nQ\A[BEQ\I, xrefs: 004192F1, 004192FE
type must be boolean, but is , xrefs: 0041AA17, 0041AA48, 0041AAFE
IABQX\, xrefs: 00419CA4, 00419CAB
,, xrefs: 00419231

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %s|%s$,$,$.$.$4$:$@ET$@ET$@O][nQ\A[BEQ\I$@O][nV\YT_YK$IABQX\$IABQX\$IABQX\$IABQX\$OG$RL[3$type must be boolean, but is
API String ID: 0-2687570968
Opcode ID: f1ae5ec45e40cc298493f042e2cce951e96c843fe875671c280f88f5515eb7e6
Instruction ID: e961a701f2afd2fa6f97a72362c52f48d25eeb15afec5ac09e132253787c98b0
Opcode Fuzzy Hash: f1ae5ec45e40cc298493f042e2cce951e96c843fe875671c280f88f5515eb7e6
Instruction Fuzzy Hash: 3413FF709042589FDB25DF68C958BEEBBB0AF05304F0441CEE44967292DB799EC8CF96

Function 004146B0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e5e4c00776260d396e56defb91423826d9e9f14dbe5c55272fc73b9196d8af
Instruction ID: 187a562dbae0ae02de644202ed7863f73715a9724e0290cfc75b4ac2a7ffd0ef
Opcode Fuzzy Hash: b4e5e4c00776260d396e56defb91423826d9e9f14dbe5c55272fc73b9196d8af
Instruction Fuzzy Hash: CF51A0B1D002199FDB04DFA8C954BEEBBB4FF88314F14415EE421B7381D7799A448BA4

Function 0054C04A Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c97f548ddff9f834a5e7bc3f8e99fbd9d79d8b7eb7ce75d2db0702809c9d550
Instruction ID: 4e0af5a29117eb99791c8da406945d756c14a3ac0ced37ccbbda3a6ad7c748b8
Opcode Fuzzy Hash: 2c97f548ddff9f834a5e7bc3f8e99fbd9d79d8b7eb7ce75d2db0702809c9d550
Instruction Fuzzy Hash: 2341BB301187428FC329EB29D9469AB7BE1FFC5328F50CA6DD0D683542D730A412CB96

Function 004F4D9F Relevance: 10.8, APIs: 7, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strrchr.LIBCMT ref: 004F4E25

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 93b5c7d55acd086f0d350931ad843cc01176c7766146c8ee9253385d32184bc1
Instruction ID: 589becb99ee3adf27699cb767a9d83f27a62820bf1ca4c3ec6002ba9eb813f73
Opcode Fuzzy Hash: 93b5c7d55acd086f0d350931ad843cc01176c7766146c8ee9253385d32184bc1
Instruction Fuzzy Hash: B1B13932A0075A9FDB118F24CC81BBF7FA5EF95350F144157E704AB382DA789901C7A9

Function 00408130 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004085AC
___std_exception_destroy.LIBVCRUNTIME ref: 004085C2

Strings

, column , xrefs: 004081A2
parse error, xrefs: 00408305
at line , xrefs: 0040818B
ror, xrefs: 004082A0

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $parse error$ror
API String ID: 4194217158-697689061
Opcode ID: c544b48d3a7bd091e2756c201fa4c299fc85d2734b5896138f844569b93f0d83
Instruction ID: 5eed20493bf9008b1666e4e77f551704a34727cf03c9faf4099439c52a9f14e3
Opcode Fuzzy Hash: c544b48d3a7bd091e2756c201fa4c299fc85d2734b5896138f844569b93f0d83
Instruction Fuzzy Hash: FCD1CC71C00248DFEB14DFA8C9557EEBBB1AF51304F20829EE0557B2D2D7B85A84DBA1

Function 0040B300 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 271COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0040B714
std::_Throw_Cpp_error.LIBCPMT ref: 0040B725

Strings

DT, xrefs: 0040B32E
\*.*, xrefs: 0040B3B0

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: \*.*$DT
API String ID: 2134207285-2523999094
Opcode ID: f5372e11be44082f25a3e12a1f91f11978beff7d64d4e8c50d5de106e862fc9f
Instruction ID: 3a5e357e0eaef43d548668da3bf32abc8c0e5fbc24ddd430c02188c82ba943da
Opcode Fuzzy Hash: f5372e11be44082f25a3e12a1f91f11978beff7d64d4e8c50d5de106e862fc9f
Instruction Fuzzy Hash: 81B1DE70C00249DEDB10DFA8C9487EEBBB1FF55318F24425AE054BB2D2D7B85A84CBA5

Function 00409690 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,5C4B5A43), ref: 00409713

Strings

CZK\, xrefs: 004096D3
RLR!, xrefs: 004096A6
5+,*, xrefs: 004096AD

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc
String ID: 5+,*$CZK\$RLR!
API String ID: 190572456-1667197386
Opcode ID: cf33655838e94d90ad32bcdbaf41b148c00ca284dd3093585e7f53c682d23829
Instruction ID: 1b649b20cbcbbe383d2d74940bb5567eda14a8d9e06964788797058add72dc1c
Opcode Fuzzy Hash: cf33655838e94d90ad32bcdbaf41b148c00ca284dd3093585e7f53c682d23829
Instruction Fuzzy Hash: 90311B71D04348ABDF109FE99C89BAEFBB8FF45714F1001BAE908B7292D6744D458798

Function 00413F60 Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00413F93
CopyFileA.KERNEL32(?,?,00000000), ref: 004140E2
GetLastError.KERNEL32 ref: 004140F0
CopyFileA.KERNEL32(?,?,00000000), ref: 00414104

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: a3ad2207beff2c88c72dfc4db5a41971c486cf9080c7e1f51e7741a25d86b42c
Instruction ID: 4e8a858f8e8f6960467cd2fd7353e7b51b17af89a7da7ed7c510c280620ba509
Opcode Fuzzy Hash: a3ad2207beff2c88c72dfc4db5a41971c486cf9080c7e1f51e7741a25d86b42c
Instruction Fuzzy Hash: 7251CF72D01209ABDF21DFE5CC41BEEBBB8EF48324F10426AE514B7281D7396A45CB94

Function 00475D60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00475E75
Concurrency::cancel_current_task.LIBCPMT ref: 00476093

Strings

cannot get value, xrefs: 00476098

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot get value
API String ID: 118556049-2333289761
Opcode ID: 0999ee98cbe4c0583c2714d920e8f8a2abc0c77b51863e559c45617679fa762a
Instruction ID: 55863f5c5c761cbec14b37c2ffbbc5b0a7e38fdbd5ed2974f92d332770d72459
Opcode Fuzzy Hash: 0999ee98cbe4c0583c2714d920e8f8a2abc0c77b51863e559c45617679fa762a
Instruction Fuzzy Hash: D3B1B075900609DFCB04CF98C594AEEFBB5FF08310F14829AE819AB355D778AE01CB94

Function 00407EC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040807C
___std_exception_destroy.LIBVCRUNTIME ref: 00408092

Strings

[json.exception., xrefs: 00407F11

Memory Dump Source

Source File: 00000003.00000002.3720005461.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3719894491.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720560055.0000000000515000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720665924.0000000000540000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3720743891.0000000000545000.00000020.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3721025884.00000000005F6000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: cad485bcd42c8c281bad2817767b03bedc2c5fabb8b440c254c2ce50f9aa2880
Instruction ID: 7f99c11b4c43e4572e9624dce323e281514ed808fd84471958b998dba4cb0f5b
Opcode Fuzzy Hash: cad485bcd42c8c281bad2817767b03bedc2c5fabb8b440c254c2ce50f9aa2880
Instruction Fuzzy Hash: 2151C170D042499BDB10DFA8C94579EBBB4FF51314F14426EE850AB3C2E7B95A44CBA1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
setup.exe

Function 02652411 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 00A20B80 Relevance: 1.9, APIs: 1, Instructions: 441
COMMON

Function 00A204C7 Relevance: 1.6, APIs: 1, Instructions: 82
memoryCOMMON

Function 00A20538 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 00A210F0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 00A2052C Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Function 00A20514 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00A20A49 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 004680A0 Relevance: .2, Instructions: 153
COMMON

Function 0041E220 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 395
networksleepCOMMON

Function 00402F50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Function 004EB74C Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Function 004F4D9F Relevance: 10.8, APIs: 7, Instructions: 329
COMMON

Function 00408130 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 320
COMMON