Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip

Overview

General Information

Sample name:MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip
Analysis ID:1523194
MD5:434f24d28137d65158cc1f2f3884d15c
SHA1:495059dba83d7261950e7d88a43d0e06744642bd
SHA256:73d337681a668b086f3dd875f789c40093234361a1c01d99740130806758cbbd
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6280 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • $R11M6SU.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\$R11M6SU.exe" MD5: 7ED2CB178DEF866018B8DC1D4F239969)
    • $R11M6SU.tmp (PID: 6692 cmdline: "C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp" /SL5="$60266,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" MD5: B2CCB7BA365ACEAAEF948F02F13B6811)
      • $R11M6SU.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266 MD5: 7ED2CB178DEF866018B8DC1D4F239969)
        • $R11M6SU.tmp (PID: 6768 cmdline: "C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp" /SL5="$502B4,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266 MD5: B2CCB7BA365ACEAAEF948F02F13B6811)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpVirustotal: Detection: 10%Perma Link
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: d3vnxrgxbv8od6.cloudfront.net
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: classification engineClassification label: mal48.winZIP@7/3@1/4
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpFile created: C:\Users\user\AppData\Local\Programs
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpMutant created: \Sessions\1\BaseNamedObjects\{c4b370a2-7bdd-4171-a11d-9b50cd52258f}I
Source: C:\Users\user\Desktop\$R11M6SU.exeFile created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp
Source: C:\Users\user\Desktop\$R11M6SU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\$R11M6SU.exe "C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp" /SL5="$60266,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess created: C:\Users\user\Desktop\$R11M6SU.exe "C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp" /SL5="$502B4,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp" /SL5="$60266,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp" /SL5="$502B4,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: netapi32.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpSection loaded: sfc_os.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: netapi32.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$R11M6SU.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: winhttpcom.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpWindow found: window name: TSelectLanguageForm
Source: MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zipStatic file information: File size 1240227 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dllJump to dropped file
Source: C:\Users\user\Desktop\$R11M6SU.exeFile created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\$R11M6SU.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 2972Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 6772Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 2336Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager2
System Owner/User Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp14%ReversingLabsWin32.Adware.OfferCore
C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp11%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll1%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
d3vnxrgxbv8od6.cloudfront.net
18.66.121.171
truefalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    18.66.121.171
    		d3vnxrgxbv8od6.cloudfront.netUnited States
    		3MIT-GATEWAYSUSfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1523194
    Start date and time:2024-10-01 09:33:45 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:1
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip
    Detection:MAL
    Classification:mal48.winZIP@7/3@1/4
    Cookbook Comments:
    • Found application associated with file extension: .zip

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp

    Download File
    Process:C:\Users\user\Desktop\$R11M6SU.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):3206432
    Entropy (8bit):6.325266778765761
    Encrypted:false
    SSDEEP:
    MD5:B2CCB7BA365ACEAAEF948F02F13B6811
    SHA1:00441F2FD59F4DA97BAF79EBC7BBF818D5F2F813
    SHA-256:E55665FA6A6179721815FF2F62CC8E8A2D74ED038E55E3BFE11A3AEAFEC6837A
    SHA-512:6DA44DE97EFC9799C06320C06B49DF52C2E4EA3B97E511B4967E9D32EEE8F72C9186BBB37E0C897EA2FCC8F1E2C93722B28D860C698AA8FD43D87B63EA30F5FD
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 14%
    • Antivirus: Virustotal, Detection: 11%, Browse
    Reputation:unknown
    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1.......1...@......@....................-.......-..9....................0. '....................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

    C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp
    File Type:PE32+ executable (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):6144
    Entropy (8bit):4.720366600008286
    Encrypted:false
    SSDEEP:
    MD5:E4211D6D009757C078A9FAC7FF4F03D4
    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 0%, Browse
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):6.216405702855349
    Encrypted:false
    SSDEEP:
    MD5:67965A5957A61867D661F05AE1F4773E
    SHA1:F14C0A4F154DC685BB7C65B2D804A02A0FB2360D
    SHA-256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
    SHA-512:C6942818B9026DC5DB2D62999D32CF99FE7289F79A28B8345AF17ACF9D13B2229A5E917A48FF1F6D59715BDBCB00C1625E0302ABCFE10CA7E0475762E0A3F41B
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    • Antivirus: Virustotal, Detection: 1%, Browse
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................r........................@.................................................................................................................................................................................................CODE.....p.......r.................. ..`DATA.................v..............@...BSS..................x...................idata...............x..............@....edata..............................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

    Static File Info

    General

    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Entropy (8bit):7.999875261481892
    TrID:
    • ZIP compressed archive (8000/1) 100.00%
    File name:MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip
    File size:1'240'227 bytes
    MD5:434f24d28137d65158cc1f2f3884d15c
    SHA1:495059dba83d7261950e7d88a43d0e06744642bd
    SHA256:73d337681a668b086f3dd875f789c40093234361a1c01d99740130806758cbbd
    SHA512:6c3a906e68677d82246748e095e047e6eab6b04bb37a1e9f10a7b826517f9a3062db2d8a524f968e07f3227d4eec8b88a6cb1a3cf512a77600e91887212db7ea
    SSDEEP:24576:cImXmHDi/242jAOo0FDfo2fp1GFHQcbVL1v3SWolRdo:tKcDjAr0ZRfp1WHQsF1KFljo
    TLSH:D74533B367FD02514FBEDB9B322A61740460981557BDF0868A7BECE1A3B00E17E45BE4
    File Content Preview:PK.........;AYm.............$.$R11M6SU.exe.. .........&.......&................O<..N6.....2d......l........z]..e.\..[R.?.....X...Y7.4.'.....0.De..P.".V*.U..d.if.e7c)...$N...o...pS.hQ....m...<...-.a...s..I..'^.......r...?....4s...6...i.;.F.Z......|...qG...

    File Icon

    Icon Hash:1c1c1e4e4ececedc