Edit tour

Windows Analysis Report
RUMMY.EXE

Overview

General Information

Sample name:	RUMMY.EXE
Analysis ID:	1528654
MD5:	d228499e249b66190ed130b1d27790ec
SHA1:	9f6d842edacd83dabc8a548d7d8eb47d5df66f3f
SHA256:	77032f475fe4d87f065ae038ebbd230e4281884040a28f8745dde73e4d33c067
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

RUMMY.EXE (PID: 7092 cmdline: "C:\Users\user\Desktop\RUMMY.EXE" MD5: D228499E249B66190ED130B1D27790EC)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RUMMY.EXE	ReversingLabs: Detection: 18%
Source: RUMMY.EXE	Virustotal: Detection: 22%			Perma Link

Source: RUMMY.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: RUMMY.EXE

String found in binary or memory: http://unni.web.com

Source: RUMMY.EXE, 00000000.00000000.2024488436.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSOL.EXE@ vs RUMMY.EXE
Source: RUMMY.EXE	Binary or memory string: OriginalFilenameSOL.EXE@ vs RUMMY.EXE

Source: RUMMY.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: RUMMY.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RUMMY.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RUMMY.EXE	ReversingLabs: Detection: 18%
Source: RUMMY.EXE	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\RUMMY.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RUMMY.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RUMMY.EXE	19%	ReversingLabs	Win32.Trojan.Generic
RUMMY.EXE	22%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://unni.web.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://unni.web.com	RUMMY.EXE	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528654
Start date and time:	2024-10-08 07:42:45 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RUMMY.EXE
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.383599727985923
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RUMMY.EXE
File size:	151'552 bytes
MD5:	d228499e249b66190ed130b1d27790ec
SHA1:	9f6d842edacd83dabc8a548d7d8eb47d5df66f3f
SHA256:	77032f475fe4d87f065ae038ebbd230e4281884040a28f8745dde73e4d33c067
SHA512:	0b536da26e1dc87356f697be96d2a3a7c25d472259fb5cc3274e2fb8abf184b34ddbc3700879dd3af23b15da34d5c45504ad7ba19cd0c01f4209472c115ced60
SSDEEP:	768:qCYcoX561rQJDbsQxgvcqgA4JswkXpTFMWCQrvTace+0PhnMKT7cd:qE6pRVgcwwkXpTFMWCQK6mVc
TLSH:	3EE3A833F025C84AF56999728CD099F8E2D3BD309E141523B644FBAEFAB7A409B14375
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M...M...M...6...L.../...K.......L.......F.......H...M...........E.......L...RichM...........................PE..L......8...

File Icon


Icon Hash:	b21edeb8b5cecdff

Static PE Info

General

Entrypoint:	0x4033de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x38F296E3 [Tue Apr 11 03:07:15 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8f11bca1acc579591031ff47d7ad4c47

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00404A90h
push 00403564h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00404394h]
pop ecx
or dword ptr [0040616Ch], FFFFFFFFh
or dword ptr [00406170h], FFFFFFFFh
call dword ptr [00404390h]
mov ecx, dword ptr [00406160h]
mov dword ptr [eax], ecx
call dword ptr [00404388h]
mov ecx, dword ptr [0040615Ch]
mov dword ptr [eax], ecx
mov eax, dword ptr [00404384h]
mov eax, dword ptr [eax]
mov dword ptr [00406168h], eax
call 00007F11D52C519Bh
cmp dword ptr [00406080h], ebx
jne 00007F11D52C508Eh
push 00403560h
call dword ptr [00404380h]
pop ecx
call 00007F11D52C516Dh
push 00406014h
push 00406010h
call 00007F11D52C5158h
mov eax, dword ptr [00406158h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00406154h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00404378h]
push 0040600Ch
push 00406000h
call 00007F11D52C5125h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d58	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x1d5c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x3ec	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27d2	0x3000	468532419e1cd526c2644200ff28280f	False	0.4298502604166667	data	5.273158969972959	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x13c2	0x2000	6831063698e3b0bf2ed903fd016cbb98	False	0.2271728515625	data	3.389820039460895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x174	0x1000	106642e33387622d7775bbb8b97d547c	False	0.029541015625	data	0.21884890496450699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0x1d5c0	0x1e000	7bb5b156ce988e592517c9c788051fbf	False	0.21956380208333334	data	4.230447840036496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x13310	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.32
RT_BITMAP	0x10d90	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3
RT_BITMAP	0x11240	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.37416666666666665
RT_BITMAP	0x116f0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3825
RT_BITMAP	0x11ba0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.41
RT_BITMAP	0x12050	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4
RT_BITMAP	0x12500	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.41583333333333333
RT_BITMAP	0x129b0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4141666666666667
RT_BITMAP	0x12e60	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4483333333333333
RT_BITMAP	0x108e0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3925
RT_BITMAP	0x137c0	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.275561797752809
RT_BITMAP	0x15390	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.29943820224719103
RT_BITMAP	0x145a8	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2581460674157303
RT_BITMAP	0x1e440	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.43833333333333335
RT_BITMAP	0x1bec0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3416666666666667
RT_BITMAP	0x1c370	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.38
RT_BITMAP	0x1c820	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.38416666666666666
RT_BITMAP	0x1ccd0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4041666666666667
RT_BITMAP	0x1d180	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3975
RT_BITMAP	0x1d630	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.36833333333333335
RT_BITMAP	0x1dae0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4058333333333333
RT_BITMAP	0x1df90	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4375
RT_BITMAP	0x1ba10	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4483333333333333
RT_BITMAP	0x1e8f0	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.273876404494382
RT_BITMAP	0x86b8	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.30168539325842697
RT_BITMAP	0x1f6d8	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.26825842696629215
RT_BITMAP	0xb0c0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.32416666666666666
RT_BITMAP	0x229f0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4075
RT_BITMAP	0x204c0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.35833333333333334
RT_BITMAP	0x94a0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3175
RT_BITMAP	0x9950	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.38916666666666666
RT_BITMAP	0x9e00	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3641666666666667
RT_BITMAP	0xa2b0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.37666666666666665
RT_BITMAP	0xa760	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.36333333333333334
RT_BITMAP	0xac10	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3925
RT_BITMAP	0x22ea0	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.49166666666666664
RT_BITMAP	0xb570	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2800561797752809
RT_BITMAP	0xd140	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.30786516853932583
RT_BITMAP	0xc358	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.31573033707865167
RT_BITMAP	0x18ba8	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.29333333333333333
RT_BITMAP	0x16628	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3516666666666667
RT_BITMAP	0x16ad8	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.36583333333333334
RT_BITMAP	0x16f88	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3616666666666667
RT_BITMAP	0x17438	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.3825
RT_BITMAP	0x178e8	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.37416666666666665
RT_BITMAP	0x17d98	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.38916666666666666
RT_BITMAP	0x18248	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4191666666666667
RT_BITMAP	0x186f8	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.4225
RT_BITMAP	0x16178	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.43333333333333335
RT_BITMAP	0x19058	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2648876404494382
RT_BITMAP	0x1ac28	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2941011235955056
RT_BITMAP	0x19e40	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2859550561797753
RT_BITMAP	0x8290	0x428	Device independent bitmap graphic, 128 x 15 x 4, image size 960	English	United States	0.3618421052631579
RT_BITMAP	0xdf28	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.04522471910112359
RT_BITMAP	0xed10	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.10056179775280899
RT_BITMAP	0xfaf8	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.0550561797752809
RT_BITMAP	0x20970	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.2606741573033708
RT_BITMAP	0x21758	0x4b0	Device independent bitmap graphic, 71 x 96 x 1, image size 1152	English	United States	0.29583333333333334
RT_BITMAP	0x21c08	0xde8	Device independent bitmap graphic, 71 x 96 x 4, image size 3456	English	United States	0.04719101123595506
RT_ICON	0x7f90	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.36693548387096775
RT_MENU	0x23370	0x9a	data	English	United States	0.7402597402597403
RT_DIALOG	0x23420	0x172	data	English	United States	0.5864864864864865
RT_STRING	0x23840	0x6c	data	English	United States	0.4444444444444444
RT_STRING	0x238b0	0x34	data	English	United States	0.5576923076923077
RT_STRING	0x23930	0x166	data	English	United States	0.37988826815642457
RT_STRING	0x23ba0	0x260	data	English	United States	0.0805921052631579
RT_STRING	0x23f50	0x328	data	English	United States	0.34405940594059403
RT_STRING	0x23ee0	0x70	data	English	United States	0.625
RT_STRING	0x23a98	0x106	data	English	United States	0.5763358778625954
RT_STRING	0x23e00	0xda	data	English	United States	0.43119266055045874
RT_STRING	0x238e8	0x46	data	English	United States	0.7428571428571429
RT_STRING	0x24278	0xc6	data	English	United States	0.41919191919191917
RT_STRING	0x24340	0x1f8	data	English	United States	0.36706349206349204
RT_STRING	0x24538	0x86	data	English	United States	0.6567164179104478
RT_ACCELERATOR	0x23410	0x10	data	English	United States	1.3125
RT_GROUP_ICON	0x8278	0x14	data	English	United States	1.2
RT_VERSION	0x23598	0x2a8	data	English	United States	0.4808823529411765
None	0x23350	0x1c	data	English	United States	1.25

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	_acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, exit, __p__fmode, __set_app_type, _except_handler3, _controlfp, _exit, _onexit, _XcptFilter, __dllonexit, rand, _setmbcp, _itoa, srand, time, __CxxFrameHandler
KERNEL32.dll	GetModuleHandleA, GetStartupInfoA
USER32.dll	SetTimer, GetClientRect, KillTimer, FillRect, LoadBitmapA, LoadCursorA, EnableWindow
GDI32.dll	CreateSolidBrush, BitBlt, CreateCompatibleDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 07:43:55.673548937 CEST	53	50997	1.1.1.1	192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: RUMMY.EXEPID: 7092, Parent PID: 1028

General

Target ID:	0
Start time:	01:43:34
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\RUMMY.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RUMMY.EXE"
Imagebase:	0x400000
File size:	151'552 bytes
MD5 hash:	D228499E249B66190ED130B1D27790EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: RUMMY.EXEPID: 7092, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	179
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401370 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#2621.MFC42 ref: 0040138B
#4159.MFC42(00000000), ref: 00401394
#823.MFC42(0000006C,00000000), ref: 0040139B
#520.MFC42(00000080,<`@,0`@,D`@), ref: 004013C9
#986.MFC42(00000000), ref: 004013DD
#296.MFC42(00000000), ref: 004013E6
#5214.MFC42(?,00000000), ref: 004013FA
#5301.MFC42(?,?,00000000), ref: 00401406
#617.MFC42(?,00000000), ref: 0040141C
#617.MFC42(?,00000000), ref: 00401432

Strings

<`@, xrefs: 004013BD
D`@, xrefs: 004013B3
0`@, xrefs: 004013B8

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #617$#2621#296#4159#520#5214#5301#823#986
String ID: 0`@$<`@$D`@
API String ID: 3835139667-1166163548
Opcode ID: 3ae295d397972a5e10b439ed0f186d821bac742b7784cc7fa5b506763629e84f
Instruction ID: 8f3377e77405aa066e05be82c6a6b5fbe4de9d7d331fb865d51bc178ef090d20
Opcode Fuzzy Hash: 3ae295d397972a5e10b439ed0f186d821bac742b7784cc7fa5b506763629e84f
Instruction Fuzzy Hash: 0A11E770644380ABD354EF25C852B1F7ED8AB88B25F400A3EF895A73D1DB7CC601874A

Function 00401190 Relevance: 15.1, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4457.MFC42(?), ref: 0040119A
#2120.MFC42(?,50002800,0000E800,?), ref: 004011BB
#4163.MFC42(00000080,?,50002800,0000E800,?), ref: 004011CF
#2117.MFC42(?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 004011EB
#6000.MFC42(00406020,00000004,?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 004011FD
#5871.MFC42(?,00406020,00000004,?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 00401212
#2626.MFC42(0000F000,?,00406020,00000004,?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 0040121E
#2627.MFC42(0000F000,0000F000,?,00406020,00000004,?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 0040122A
#2494.MFC42(?,00000000,00000000,0000F000,0000F000,?,00406020,00000004,?,50008200,0000E801,00000080,?,50002800,0000E800,?), ref: 00401236
#6209.MFC42(?,00000000,00000000,?,00000000,00000000,0000F000,0000F000,?,00406020,00000004,?,50008200,0000E801,00000080), ref: 00401242

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #2117#2120#2494#2626#2627#4163#4457#5871#6000#6209
String ID:
API String ID: 1118489726-0
Opcode ID: 2ad700159516505ad7e773a3d629e1d03bd935213591d9cf5613df2795bf7298
Instruction ID: be536de2474846b322ae670beaadc84c7819085007e49e5f4862961dc115ba7d
Opcode Fuzzy Hash: 2ad700159516505ad7e773a3d629e1d03bd935213591d9cf5613df2795bf7298
Instruction Fuzzy Hash: 45115E3134220022F624693A4D62F7F568E5FD1B25F14453FB256FA2D6DEB8A905426C

Function 00402690 Relevance: 6.2, APIs: 4, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#470.MFC42 ref: 004026B0
#755.MFC42 ref: 004026D0
GetClientRect.USER32(?,?), ref: 004026F1

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #470#755ClientRect
String ID:
API String ID: 2502121321-0
Opcode ID: 4f46d9130ae510f0c31082474cb7453935c0a6241bd5fb5c57cdc0ec13ca2409
Instruction ID: 3f6a77a7beea499f63deb99d23fd2e59961f755f5db8cadf32a1abce2ca1384d
Opcode Fuzzy Hash: 4f46d9130ae510f0c31082474cb7453935c0a6241bd5fb5c57cdc0ec13ca2409
Instruction Fuzzy Hash: 2E719D75600B009FD724DF19C881F6AB7E5FF88704F10862DE6569B3D1EBB5A905CB90

Function 00403570 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(00403512,00403512,00403512,00403512,00403512,00000000,?,0000000A), ref: 00403580

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 2045489f9ebaa0ccebf079923496baf998559f2fcb1a7899f90e8b8b5e8f5fa3
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: AEB00836028386ABCB02EE918C0192ABAA6BB98705F484C1DB2A1100B187668528AB16

Non-executed Functions

Function 00401D80 Relevance: 22.6, APIs: 15, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#289.MFC42(?,?,?), ref: 00401D9F
#823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401DAE
#1146.MFC42(?,00000002,?,?), ref: 00401DDA
LoadBitmapA.USER32(00000000,?), ref: 00401DE0
#1641.MFC42(00000000), ref: 00401DE9
#323.MFC42(00000000), ref: 00401DF2
CreateCompatibleDC.GDI32(?), ref: 00401E0B
#1640.MFC42(00000000), ref: 00401E16
#5785.MFC42(?,?,00000000), ref: 00401E2C
BitBlt.GDI32(00000001,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00401E64
#5785.MFC42(?,00000000), ref: 00401E77
#2414.MFC42(?,00000000), ref: 00401E7E
#2405.MFC42(?,00000000), ref: 00401E87
#640.MFC42(?,00000000), ref: 00401E95
#613.MFC42(?,00000000), ref: 00401EA6

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #5785$#1146#1640#1641#2405#2414#289#323#613#640#823BitmapCompatibleCreateLoad
String ID:
API String ID: 607866127-0
Opcode ID: fd5973dbc7de01c337c7303004c23c930101173b0027c025ad91d87bd578a08c
Instruction ID: 67e5c8633a5a039485d157fec622035c5c05163356be74be597a77d62d5b98a9
Opcode Fuzzy Hash: fd5973dbc7de01c337c7303004c23c930101173b0027c025ad91d87bd578a08c
Instruction Fuzzy Hash: 703160B2208341AFC310EF65C985F2BBBE8AB84714F04892DF956A72D1DB78E905C756

Function 00401B30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 206
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 00401B49

Part of subcall function 00401EC0: #289.MFC42(?,?,00403728,000000FF,00401B6A,?,?,?,?), ref: 00401EE0
Part of subcall function 00401EC0: CreateSolidBrush.GDI32 ref: 00401F20
Part of subcall function 00401EC0: #1641.MFC42(00000000), ref: 00401F2B
Part of subcall function 00401EC0: FillRect.USER32(?,?,00404A7C), ref: 00401F49
Part of subcall function 00401EC0: #2414.MFC42 ref: 00401F60
Part of subcall function 00401EC0: #613.MFC42 ref: 00401F79

rand.MSVCRT ref: 00401B86
time.MSVCRT(00000000), ref: 00401B8B
srand.MSVCRT ref: 00401B92
rand.MSVCRT ref: 00401B98
_itoa.MSVCRT ref: 00401C02
#1175.MFC42 ref: 00401C38
#6199.MFC42(?), ref: 00401C53
SetTimer.USER32(?,00000001,000000C8,00000000), ref: 00401D69

Strings

Rummy #, xrefs: 00401BB8

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: Rectrand$#1175#1641#2414#289#613#6199BrushClientCreateFillSolidTimer_itoasrandtime
String ID: Rummy #
API String ID: 2045690635-3068404159
Opcode ID: d85decf698ab465c608bfaca0c54d02d744611c3d0577a2c82d3f70c834f0685
Instruction ID: 12c0eb7b25bb229f6f69f8f451545bf55e46337edfe3bb877cbeb5c2afdbfed5
Opcode Fuzzy Hash: d85decf698ab465c608bfaca0c54d02d744611c3d0577a2c82d3f70c834f0685
Instruction Fuzzy Hash: A061BF716003049BD718DF69C885A6ABBE6FBC8304F14862DFA469B3D1EA74ED058B84

Function 004033DE Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040340B
__p__fmode.MSVCRT ref: 00403420
__p__commode.MSVCRT ref: 0040342E
__setusermatherr.MSVCRT ref: 0040345A
_initterm.MSVCRT ref: 00403470
__getmainargs.MSVCRT ref: 00403493
_initterm.MSVCRT ref: 004034A3
GetStartupInfoA.KERNEL32(?), ref: 004034E2
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403506
exit.MSVCRT ref: 00403516
_XcptFilter.MSVCRT ref: 00403528

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 6eb3bed4911b60887d4ed7a770c7ed3ee2553a33c7029b092e287e621a08ffcb
Instruction ID: d358dbb428a00fa79a3b253f8031388de2651a2a08fc8b52a03f72944860442e
Opcode Fuzzy Hash: 6eb3bed4911b60887d4ed7a770c7ed3ee2553a33c7029b092e287e621a08ffcb
Instruction Fuzzy Hash: 87416BB0940354AFDB25DFA4DD45AAABFBCAB09711F20013EF942BB2E1D7385940CB18

Function 00401EC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#289.MFC42(?,?,00403728,000000FF,00401B6A,?,?,?,?), ref: 00401EE0
CreateSolidBrush.GDI32 ref: 00401F20
#1641.MFC42(00000000), ref: 00401F2B
FillRect.USER32(?,?,00404A7C), ref: 00401F49
#2414.MFC42 ref: 00401F60
#613.MFC42 ref: 00401F79

Strings

TJ@, xrefs: 00401F69

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #1641#2414#289#613BrushCreateFillRectSolid
String ID: TJ@
API String ID: 1831403058-3904813409
Opcode ID: cc26c9cb94c525202472281eb38bceca11511a8efa1792f10db0facdc696af0c
Instruction ID: 516291bd938665e5daca50e1b343290019a6091df45c07c589e304e0ff415edd
Opcode Fuzzy Hash: cc26c9cb94c525202472281eb38bceca11511a8efa1792f10db0facdc696af0c
Instruction Fuzzy Hash: 082129B5108340AFC304DF28C985A5BBBE8BBC8714F00892EF59A93290D778D944CB56

Function 00402CA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KillTimer.USER32(00000000,00000001,?,00402BA3,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402CA9
#4224.MFC42(Congratulations, You Win,Rummy,00000000,?,00402BA3,?,?,?,?,?,?,?,?,?,?,?), ref: 00402CBD

Part of subcall function 00401B30: GetClientRect.USER32(?,?), ref: 00401B49
Part of subcall function 00401B30: rand.MSVCRT ref: 00401B86
Part of subcall function 00401B30: time.MSVCRT(00000000), ref: 00401B8B
Part of subcall function 00401B30: srand.MSVCRT ref: 00401B92
Part of subcall function 00401B30: rand.MSVCRT ref: 00401B98
Part of subcall function 00401B30: _itoa.MSVCRT ref: 00401C02
Part of subcall function 00401B30: #1175.MFC42 ref: 00401C38

Strings

Rummy, xrefs: 00402CB1
Congratulations, You Win, xrefs: 00402CB6

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: rand$#1175#4224ClientKillRectTimer_itoasrandtime
String ID: Congratulations, You Win$Rummy
API String ID: 1495886604-2709776976
Opcode ID: 019d1c1c7511780365b2e02f78435709d0c2b1b97265b046d0c86a6c3b7cebbc
Instruction ID: bdd2c4dade37018a9f4e7117faa277ddcdcf882978787444807aac8b9f44d5b7
Opcode Fuzzy Hash: 019d1c1c7511780365b2e02f78435709d0c2b1b97265b046d0c86a6c3b7cebbc
Instruction Fuzzy Hash: D7D0C93178062027D6147764AD17F5D21595B45B04F11012EBA02BA1C1DAF9A951038C

Function 004019E0 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#560.MFC42(?,00000000,00000000,004036C3,000000FF,0040197A,?,?,?,?,000000FF), ref: 004019FD
#540.MFC42(?,00000000,00000000,004036C3,000000FF,0040197A,?,?,?,?,000000FF), ref: 00401A0D
#1168.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,004036C3,000000FF), ref: 00401A32
LoadCursorA.USER32(00000000,00007F00), ref: 00401A3E

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #1168#540#560CursorLoad
String ID:
API String ID: 4175135295-0
Opcode ID: ab3dd0e15dde0705b78282519559052bd20409bbda27b87f8018b6f6cb0afb0a
Instruction ID: b711d1f2222960a7ef7d53a3cbe70342e53c6e002ec37024179a1a54a932fd65
Opcode Fuzzy Hash: ab3dd0e15dde0705b78282519559052bd20409bbda27b87f8018b6f6cb0afb0a
Instruction Fuzzy Hash: 7DF06DB0548B909FD320DF19C806756BBE4FB44B19F004A2EF58657BC1C7FDA1088B86

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32 ref: 00401AF0
#1233.MFC42(00000008,?,00000000,00000000), ref: 00401B02
#860.MFC42(00000000,00000008,?,00000000,00000000), ref: 00401B0A
#5260.MFC42(?,00000000,00000008,?,00000000,00000000), ref: 00401B1B

Memory Dump Source

Source File: 00000000.00000002.3287220274.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3287205296.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287235507.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287251405.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3287266269.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RUMMY.jbxd

Similarity

API ID: #1233#5260#860BrushCreateSolid
String ID:
API String ID: 1786706830-0
Opcode ID: b1b9004ab19452716930e9659ee0e9e99c07594f1ff81ec2daf93f093de4b99b
Instruction ID: 1167740107a5b3485a0345d160f9e8cd61bcefda1c95246fa771a9a6d8075eb8
Opcode Fuzzy Hash: b1b9004ab19452716930e9659ee0e9e99c07594f1ff81ec2daf93f093de4b99b
Instruction Fuzzy Hash: 78E092B13006106FD250DB49D995F2F7BADEBC8705F00442EF649EB2C0CEB468058B68

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RUMMY.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RUMMY.EXEPID: 7092, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: RUMMY.EXEPID: 7092, Parent PID: 1028COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00401370 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 59COMMON

Control-flow Graph

Function 00401190 Relevance: 15.1, APIs: 10, Instructions: 67COMMON

Control-flow Graph

Windows Analysis Report
RUMMY.EXE

Function 00401370 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 59
COMMON

Function 00401190 Relevance: 15.1, APIs: 10, Instructions: 67
COMMON

Function 00402690 Relevance: 6.2, APIs: 4, Instructions: 210
COMMON

Function 00403570 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00401D80 Relevance: 22.6, APIs: 15, Instructions: 99
windowCOMMON

Function 00401B30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 206
timeCOMMON

Function 004033DE Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00401EC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55
COMMON

Function 00402CA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15
timeCOMMON

Function 004019E0 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON