Edit tour

Windows Analysis Report
wSIWW3vyrB.exe

Overview

General Information

Sample name:	wSIWW3vyrB.exe renamed because original name is a hash value
Original sample name:	848de6895fc2b6a1415564d88ec10917.exe
Analysis ID:	1527159
MD5:	848de6895fc2b6a1415564d88ec10917
SHA1:	d0215843c2f33624a45c9bd359903adfdb74b9a1
SHA256:	730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
Tags:	exeuser-abuse_ch
Infos:

Detection

Supershell

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Supershell

AI detected suspicious sample

Machine Learning detection for sample

Uses whoami command line tool to query computer and username

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

wSIWW3vyrB.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\wSIWW3vyrB.exe" MD5: 848DE6895FC2B6A1415564D88EC10917)

conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whoami.exe (PID: 6568 cmdline: whoami MD5: A4A6924F3EAF97981323703D38FD99C4)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: wSIWW3vyrB.exe PID: 5956	JoeSecurity_Supershell	Yara detected Supershell	Joe Security

Sigma Signatures

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: "C:\Users\user\Desktop\wSIWW3vyrB.exe", ParentImage: C:\Users\user\Desktop\wSIWW3vyrB.exe, ParentProcessId: 5956, ParentProcessName: wSIWW3vyrB.exe, ProcessCommandLine: whoami, ProcessId: 6568, ProcessName: whoami.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wSIWW3vyrB.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: wSIWW3vyrB.exe

Joe Sandbox ML: detected

Source: wSIWW3vyrB.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E.pdb source: wSIWW3vyrB.exe
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: 4--E.pdb source: wSIWW3vyrB.exe

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 121.41.18.122:3232

Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122
Source: unknown	TCP traffic detected without corresponding DNS query: 121.41.18.122

Source: classification engine

Classification label: mal68.troj.winEXE@5/1@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe

File opened: C:\Windows\system32\69976f7ca267b317d321e50c93ac034a0d061a4d9f77fdb8638bc064d4799cc4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wSIWW3vyrB.exe

ReversingLabs: Detection: 42%

Source: wSIWW3vyrB.exe

String found in binary or memory: Mask/Addr6

Source: unknown	Process created: C:\Users\user\Desktop\wSIWW3vyrB.exe "C:\Users\user\Desktop\wSIWW3vyrB.exe"
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll	Jump to behavior

Source: wSIWW3vyrB.exe

Static file information: File size 5939200 > 1048576

Source: wSIWW3vyrB.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x5a9c00

Source: wSIWW3vyrB.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E.pdb source: wSIWW3vyrB.exe
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: 4--E.pdb source: wSIWW3vyrB.exe

Source: wSIWW3vyrB.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process created: C:\Windows\System32\whoami.exe whoami			Jump to behavior

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wSIWW3vyrB.exe, 00000000.00000002.3404630766.000001BA9A02C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\whoami.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wSIWW3vyrB.exe

Process created: C:\Windows\System32\whoami.exe whoami

Jump to behavior

Stealing of Sensitive Information

Yara detected Supershell

Source: Yara match

File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR

Remote Access Functionality

Yara detected Supershell

Source: Yara match

File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wSIWW3vyrB.exe	42%	ReversingLabs	Win64.Trojan.ShellcodeRunner
wSIWW3vyrB.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
121.41.18.122	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527159
Start date and time:	2024-10-06 20:57:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wSIWW3vyrB.exe renamed because original name is a hash value
Original Sample Name:	848de6895fc2b6a1415564d88ec10917.exe
Detection:	MAL
Classification:	mal68.troj.winEXE@5/1@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.4, 20.190.159.73, 20.190.159.2, 20.190.159.68, 20.190.159.64, 40.126.31.73, 20.190.159.23, 20.190.159.71
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: wSIWW3vyrB.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://praveenxs.github.io/web-dev-task-4	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://sanjaygowda23.github.io/netflix-homepage	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	Ccpo9Gl48v.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://sheikhmuhammadzain.github.io/netflix	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://revshares-phase.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://www.multichainbridges.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://pub-2f611d096e8f43daa9347ca0cf8d9e84.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://pancake-swapp.github.io/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://helpinghandsadvocacy.org/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://steamcommynutiy.com/glft/8412	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	http://ipfs.io/ipfs/bafybeidgkzr2gy7npe4yonk6p7s4chmwvgd2cp7bk7u6llfwiutgvt77tq	Get hash	malicious	HTMLPhisher	Browse	203.119.204.130
	na.elf	Get hash	malicious	Mirai	Browse	8.155.218.236
	z3hir.arm7.elf	Get hash	malicious	Mirai	Browse	39.105.115.14
	http://www.nesianlife.com/	Get hash	malicious	Unknown	Browse	120.26.6.231
	MOfHb44mph.elf	Get hash	malicious	Unknown	Browse	120.26.76.244
	Main.exe	Get hash	malicious	Unknown	Browse	182.92.211.93
	OPyF68i97j.exe	Get hash	malicious	Unknown	Browse	114.55.25.226
	OPyF68i97j.exe	Get hash	malicious	Unknown	Browse	114.55.25.226
	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	8.173.5.16
	yakov.mpsl.elf	Get hash	malicious	Mirai	Browse	8.153.219.75

Process:	C:\Users\user\Desktop\wSIWW3vyrB.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.8915465929003235
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	wSIWW3vyrB.exe
File size:	5'939'200 bytes
MD5:	848de6895fc2b6a1415564d88ec10917
SHA1:	d0215843c2f33624a45c9bd359903adfdb74b9a1
SHA256:	730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
SHA512:	ec0028b77cff56cdd5743de74416c8305879bc83fd2ef0d9d890636eedbd108860f5d88956941f53dd46edbfd4376737e4bd20f0e229249ddcbab1bc681dd295
SSDEEP:	98304:uDCZPZUmgjGXKXl5t9Fk6TXibjXOBswc6d81/IGOj1oUUL43BSx4iwnH6ZCpt+Zx:uDQOjG6XtjS+BvL8Ojul0HiLCpI
TLSH:	5956332B91493D73D06A1678A3392C4DB952540DE3DCA734EBA2D9E673BC3A20DBD071
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................".......Z.........@9........@..............................P............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1423940
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFA566DAh]
dec eax
lea edi, dword ptr [esi-00A79025h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F6970E09615h
add ebx, ebx
je 00007F6970E095C4h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F6970E095E3h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F6970E095DDh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F6970E095B1h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F6970E095D2h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F6970E095B2h
rep ret
cld
inc ecx
pop ebx
jmp 00007F6970E095CAh
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F6970E095CCh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F6970E095A8h
lea eax, dword ptr [ecx+01h]
jmp 00007F6970E095C9h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F6970E095CCh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F6970E095A6h
sub eax, 03h
jc 00007F6970E095DBh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007F6970E0961Ah
sar eax, 1

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1024000	0x9c	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xa79000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xa7a000	0x5aa000	0x5a9c00	0414e75bcefb8af969388c5ce712cfc9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x1024000	0x1000	0x200	7e52da50a2c179bbebab5ba9aef24dfb	False	0.197265625	data	1.4609665700923298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 20:58:50.698713064 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:50.703779936 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:50.703857899 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:50.703999043 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:50.709120035 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:51.834146976 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:51.834698915 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:51.834819078 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:51.839484930 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:51.839603901 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:52.273232937 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:52.273828983 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:52.273926020 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:52.278635025 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:52.278657913 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:52.710432053 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:52.711080074 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:52.716722012 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:53.146958113 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:53.147766113 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:53.152663946 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:53.586277008 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:53.586839914 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:53.591645002 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.024288893 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.065068960 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:54.159719944 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.179208040 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:54.184119940 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.252295971 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.256352901 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:54.256485939 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:54.261214018 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:54.261337042 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:55.497394085 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:55.545536041 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:55.635922909 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:55.636013985 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:55.636082888 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:55.636425972 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:55.636696100 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:55.646776915 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:55.646789074 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.079895020 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.127655029 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:56.219814062 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.220381021 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:56.220591068 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:56.220762014 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:56.220793009 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:56.225246906 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.225373983 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.225553036 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:56.225586891 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:57.038747072 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:57.086993933 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:57.171761990 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:57.181682110 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:57.183821917 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:57.186721087 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:57.188683987 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:58.084744930 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:58.132601023 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:58.135761023 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:58.136213064 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:58.136559010 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:58.141175032 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:58.141356945 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:58.954876900 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.002667904 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:59.087872982 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.088134050 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:59.088335037 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:59.093986988 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.093998909 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.617580891 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.619461060 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:58:59.624339104 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.906219006 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:58:59.954097986 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:00.039855957 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:00.040201902 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:00.040390015 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:00.044899940 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:00.045367956 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.988985062 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.989419937 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.989465952 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:01.989557981 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:01.989702940 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:01.990102053 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.990149975 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:01.990885019 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.990927935 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:01.991767883 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:01.991823912 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:02.006186008 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.006278038 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.148608923 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:02.149166107 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:02.153489113 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.154062986 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.210922956 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:02.215693951 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.898052931 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:02.945620060 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:02.982096910 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:03.032676935 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:03.142059088 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:03.147392035 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:05.246783972 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:05.252314091 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:05.257030964 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:10.693845034 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:10.694063902 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:10.698937893 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:16.576414108 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:16.576646090 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:16.581530094 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:22.016072035 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:22.016448021 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:22.021472931 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:27.455003977 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:27.455302954 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:27.460094929 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:32.895607948 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:32.895869017 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:32.900684118 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:38.335504055 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:38.335721970 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:38.341470957 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:43.775345087 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:43.777529001 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:43.782294989 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:49.217036963 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:49.217338085 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:49.222173929 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:54.571886063 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:54.572129011 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:54.576983929 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:59.913492918 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 20:59:59.913881063 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 20:59:59.918729067 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:05.254271984 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:05.254616022 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:05.259399891 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:10.598973989 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:10.599318981 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:10.604223967 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:15.940006971 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:15.940196991 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:15.945194960 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:21.280633926 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:21.280889988 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:21.285681009 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:26.627355099 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:26.627608061 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:26.632601976 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:31.976511002 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:31.976735115 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:31.981574059 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:37.317022085 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:37.317610979 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:37.322421074 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:42.658919096 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:42.659218073 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:42.664470911 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:48.001008034 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:48.001256943 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:48.008265018 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:53.343781948 CEST	3232	49710	121.41.18.122	192.168.2.6
Oct 6, 2024 21:00:53.343977928 CEST	49710	3232	192.168.2.6	121.41.18.122
Oct 6, 2024 21:00:53.348778009 CEST	3232	49710	121.41.18.122	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 20:58:44.718962908 CEST	1.1.1.1	192.168.2.6	0xf1f2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 6, 2024 20:58:44.718962908 CEST	1.1.1.1	192.168.2.6	0xf1f2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:58:49
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\wSIWW3vyrB.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wSIWW3vyrB.exe"
Imagebase:	0xf00000
File size:	5'939'200 bytes
MD5 hash:	848DE6895FC2B6A1415564D88EC10917
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	14:58:49
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:59:00
Start date:	06/10/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff77b1e0000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:59:00
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wSIWW3vyrB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wSIWW3vyrB.exePID: 5956, Parent PID: 4004

Windows Analysis Report
wSIWW3vyrB.exe