Windows Analysis Report
6GUgc6JYS1.exe

Overview

General Information

Sample name:	6GUgc6JYS1.exe renamed because original name is a hash value
Original sample name:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8.exe
Analysis ID:	1542745
MD5:	789bf0a8714e77d0d524ba22d8efbd7e
SHA1:	61c56b19c55020494fa19faa3d1b7a2f070259df
SHA256:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8
Tags:	20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Signatures

AV Detection

Found malware configuration

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://20.25.126.96:443/bDDs", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n"}
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/bDDs"}

Multi AV Scanner detection for submitted file

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 4x nop then sub rsp, 58h

1_2_00007FF78FD22C20

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://20.25.126.96:443/bDDs
Source: Malware configuration extractor	URLs: http://20.25.126.96/bDDs

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49725 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49728 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49744 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49719 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49710 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49732 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49716 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49722 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49740 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49713 -> 20.25.126.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/%
Source: 6GUgc6JYS1.exe, 00000001.00000003.2583324428.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.i$x
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/2
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/DDs
Source: 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Y
Source: 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs2i
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsF
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsH:px6
Source: 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD219FB NtAccessCheckAndAuditAlarm,	1_2_00007FF78FD219FB
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21485 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,NtQueryInformationEnlistment,	1_2_00007FF78FD21485
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21A47 GetCurrentProcess,NtSetTimer,	1_2_00007FF78FD21A47

One or more processes crash

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

PE file contains more sections than normal

Source: 6GUgc6JYS1.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 6GUgc6JYS1.exe, 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe
Source: 6GUgc6JYS1.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe

Yara signature match

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6608

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d1df4113-672f-494d-ae55-1bc242b60e66

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

File read: C:\Users\user\Desktop\6GUgc6JYS1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6GUgc6JYS1.exe "C:\Users\user\Desktop\6GUgc6JYS1.exe"
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: 6GUgc6JYS1.exe

Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1010C push esp; retf	1_2_000002598BC101C4
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1012B push eax; ret	1_2_000002598BC10387
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC10310 push eax; ret	1_2_000002598BC10387

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 1_2_00007FF78FD21180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,

1_2_00007FF78FD21180

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtMapViewOfSection: Indirect: 0x7FF78FD21AB4	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtCreateThreadEx: Indirect: 0x7FF78FD21562	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtProtectVirtualMemory: Indirect: 0x7FF78FD21519	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://20.25.126.96/bDDs	true		unknown
http://20.25.126.96:443/bDDs	true		unknown

AV Detection

Found malware configuration

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://20.25.126.96:443/bDDs", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n"}
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/bDDs"}

Multi AV Scanner detection for submitted file

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 4x nop then sub rsp, 58h

1_2_00007FF78FD22C20

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://20.25.126.96:443/bDDs
Source: Malware configuration extractor	URLs: http://20.25.126.96/bDDs

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49725 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49728 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49744 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49719 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49710 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49732 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49716 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49722 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49740 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49713 -> 20.25.126.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/%
Source: 6GUgc6JYS1.exe, 00000001.00000003.2583324428.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.i$x
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/2
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/DDs
Source: 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Y
Source: 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs2i
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsF
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsH:px6
Source: 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD219FB NtAccessCheckAndAuditAlarm,	1_2_00007FF78FD219FB
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21485 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,NtQueryInformationEnlistment,	1_2_00007FF78FD21485
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21A47 GetCurrentProcess,NtSetTimer,	1_2_00007FF78FD21A47

One or more processes crash

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

PE file contains more sections than normal

Source: 6GUgc6JYS1.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 6GUgc6JYS1.exe, 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe
Source: 6GUgc6JYS1.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe

Yara signature match

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6608

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d1df4113-672f-494d-ae55-1bc242b60e66

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

File read: C:\Users\user\Desktop\6GUgc6JYS1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6GUgc6JYS1.exe "C:\Users\user\Desktop\6GUgc6JYS1.exe"
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: 6GUgc6JYS1.exe

Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1010C push esp; retf	1_2_000002598BC101C4
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1012B push eax; ret	1_2_000002598BC10387
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC10310 push eax; ret	1_2_000002598BC10387

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 1_2_00007FF78FD21180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,

1_2_00007FF78FD21180

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtMapViewOfSection: Indirect: 0x7FF78FD21AB4	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtCreateThreadEx: Indirect: 0x7FF78FD21562	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtProtectVirtualMemory: Indirect: 0x7FF78FD21519	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

ID:	1542745
Product:	CloudBasic
Start time:	09:10:18
Start date:	26.10.2024
Sample:	6GUgc6JYS1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	789bf0a8714e77d0d524ba22d8efbd7e
SHA1:	61c56b19c55020494fa19faa3d1b7a2f070259df
SHA256:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6GUgc6JYS1.exe_14b8f6c7377787902fbdfdce8cfba71edc84f2_d9c5afb0_0b286928-5b74-4105-9195-d990964fe4a3\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7E020017FA17FA6F8252756296A3FE3B	8A5131A2820BCAA053C4DBF87E16CF77CDBD4F5E	115ECCEC8F395FDEC41C5D04EF94666935B31CC36468A519DF492746169029FF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:56 2024, 0x1205a4 type	C0AC191691F22EC7492F8AD8B057D770	93E287CFDD352E094CED28B76D04456F6111ECA5	C1A12A4F64F2BBAFE6D45871DFAF5C8B13CBCAC8D28234C5285AECACB932873D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E94.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	28E3487898A8A9F6333A7027C90429D4	2982EDF69F8DD684D51AEB01E281452528A09DE8	469D29D5DA9682EF0095AB303836CFCE7ECBD79B87AC3E154037E27EB7BB454D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EC3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	602D680BABEC94E2A1A7CA542049B7E6	88B4AF2E6A1C22EA9EE9C649B6B93092A8079367	0B29A01BE9BA79774B54DBD2B26B7818B3341683FB2B43DFA801FEA87911D3ED
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	36260AE22F8B73E4B96085F9356E8DE8	B2C9C092DA18315AE9117B0EEBB74C3713D8D0FD	9BA9EEA9C99AF22C809FF8354BB68806657F9ADDD8A94D8A4C050218D10F3012

Windows Analysis Report
6GUgc6JYS1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report 6GUgc6JYS1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
6GUgc6JYS1.exe

Malware Threat Intel
Provided by