Windows Analysis Report
wSIWW3vyrB.exe

Overview

General Information

Sample name: wSIWW3vyrB.exe
renamed because original name is a hash value
Original sample name: 848de6895fc2b6a1415564d88ec10917.exe
Analysis ID: 1527159
MD5: 848de6895fc2b6a1415564d88ec10917
SHA1: d0215843c2f33624a45c9bd359903adfdb74b9a1
SHA256: 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
Tags: exeuser-abuse_ch
Infos:

Detection

Supershell
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Supershell
AI detected suspicious sample
Machine Learning detection for sample
Uses whoami command line tool to query computer and username
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: wSIWW3vyrB.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: wSIWW3vyrB.exe Joe Sandbox ML: detected
Source: wSIWW3vyrB.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E.pdb source: wSIWW3vyrB.exe
Source: Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: 4--E.pdb source: wSIWW3vyrB.exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 121.41.18.122:3232
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: classification engine Classification label: mal68.troj.winEXE@5/1@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe File opened: C:\Windows\system32\69976f7ca267b317d321e50c93ac034a0d061a4d9f77fdb8638bc064d4799cc4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wSIWW3vyrB.exe ReversingLabs: Detection: 42%
Source: wSIWW3vyrB.exe String found in binary or memory: Mask/Addr6
Source: unknown Process created: C:\Users\user\Desktop\wSIWW3vyrB.exe "C:\Users\user\Desktop\wSIWW3vyrB.exe"
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\whoami.exe whoami Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\whoami.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\whoami.exe Section loaded: authz.dll Jump to behavior
Source: C:\Windows\System32\whoami.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\whoami.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\whoami.exe Section loaded: netutils.dll Jump to behavior
Source: wSIWW3vyrB.exe Static file information: File size 5939200 > 1048576
Source: wSIWW3vyrB.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x5a9c00
Source: wSIWW3vyrB.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E.pdb source: wSIWW3vyrB.exe
Source: Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: 4--E.pdb source: wSIWW3vyrB.exe
PE file contains sections with non-standard names
Source: wSIWW3vyrB.exe Static PE information: section name: UPX2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Boot Survival
barindex
Uses whoami command line tool to query computer and username
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\whoami.exe whoami Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\whoami.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\whoami.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wSIWW3vyrB.exe, 00000000.00000002.3404630766.000001BA9A02C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\whoami.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe Process created: C:\Windows\System32\whoami.exe whoami Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Supershell
Source: Yara match File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Supershell
Source: Yara match File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527159 Sample: wSIWW3vyrB.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Supershell 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 wSIWW3vyrB.exe 1 2->7         started        process3 dnsIp4 17 121.41.18.122, 3232, 49710 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->17 27 Uses whoami command line tool to query computer and username 7->27 11 whoami.exe 1 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
121.41.18.122
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.221.95 true