Edit tour

Windows Analysis Report
1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Overview

General Information

Sample name:	1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe
Analysis ID:	1561553
MD5:	2d7c75f028b353192b3701aa85394937
SHA1:	0217caad3688f814524a1befc7a2c7cac994c11b
SHA256:	ad4efc90ae107111294d887b791c90776d0a0de2f6b4290c9437919430a71672
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe" MD5: 2D7C75F028B353192B3701AA85394937)

WerFault.exe (PID: 7184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["thicktoys.sbs", "faintbl0w.sbs", "300snails.sbs", "3xc1aimbl0w.sbs"], "Build id": "rMQbTX--Newcrupt"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["thicktoys.sbs", "faintbl0w.sbs", "300snails.sbs", "3xc1aimbl0w.sbs"], "Build id": "rMQbTX--Newcrupt"}

Multi AV Scanner detection for submitted file

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: faintbl0w.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: 300snails.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: 3xc1aimbl0w.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: thicktoys.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: 300snails.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: Workgroup: -
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	String decryptor: rMQbTX--Newcrupt

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	4_2_0040694B
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6DF80C8Dh]	4_2_0043E5E9
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4x nop then cmp ebx, 000007FFh	4_2_0040978C
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4x nop then cmp ebx, 000007FFh	4_2_00409716

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: thicktoys.sbs
Source: Malware configuration extractor	URLs: faintbl0w.sbs
Source: Malware configuration extractor	URLs: 300snails.sbs
Source: Malware configuration extractor	URLs: 3xc1aimbl0w.sbs

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4_2_00406091		4_2_00406091
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Code function: 4_2_00402987		4_2_00402987

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 224

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6648

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f17783c6-dbde-4383-b71b-522c95663622

Jump to behavior

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe "C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe"
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 224

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Code function: 4_2_00437D8E push dword ptr [ecx+ebx*8-7Dh]; ret

4_2_00437E57

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe, 00000004.00000000.1277830079.0000000000442000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: faintbl0w.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe, 00000004.00000000.1277830079.0000000000442000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: 300snails.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe, 00000004.00000000.1277830079.0000000000442000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: 3xc1aimbl0w.sbs
Source: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe, 00000004.00000000.1277830079.0000000000442000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: thicktoys.sbs

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	26%	ReversingLabs
1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.211.34	true	false		high

Contacted URLs

Name	Malicious	Reputation
thicktoys.sbs	false	high
300snails.sbs	false	high
faintbl0w.sbs	false	high
3xc1aimbl0w.sbs	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561553
Start date and time:	2024-11-23 18:28:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.168.117.173, 2.20.68.210, 2.20.68.201
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
Execution Graph export aborted for target 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe, PID 6648 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
14:05:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	217.20.59.37
	https://identitys.fraudguard.es/SSA_Updated_Statement	Get hash	malicious	ScreenConnect Tool	Browse	217.20.59.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	217.20.56.100
	bootstraper.exe	Get hash	malicious	Unknown	Browse	217.20.56.102
	lIUubnREXh.exe	Get hash	malicious	ScreenConnect Tool	Browse	84.201.208.67
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	84.201.208.70
	88a4dd8-Contract Agreement-Final378208743.pdf	Get hash	malicious	Unknown	Browse	84.201.208.70
	file.exe	Get hash	malicious	Credential Flusher	Browse	217.20.56.99
	FW_ Signature Required For Agreement with ID_41392PJBM8759674.msg	Get hash	malicious	Unknown	Browse	84.201.208.106
	SeleniumVBA.xlsm	Get hash	malicious	Unknown	Browse	84.201.208.72
bg.microsoft.map.fastly.net	17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe	Get hash	malicious	XWorm	Browse	199.232.214.172
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	199.232.210.172
	download.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	download.ps1	Get hash	malicious	Unknown	Browse	146.75.30.172
	download.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	download.ps1	Get hash	malicious	Unknown	Browse	199.232.214.172
	download.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	LRkZCtzQ3.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.214.172

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1732382826559c62_c9e6802a6b8064fb6ff81fe4b92118b45f1fd583_4ee20893_e28f43ba-ed04-47fb-bb23-c9b07e6ae222\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.7161711511341801
Encrypted:	false
SSDEEP:	192:Gi29TG2j2xurG22F0NXfO242pjEzuiF4Z24IO8S2X2v:NWGyAurGGNXfOpGjEzuiF4Y4IO8S2O
MD5:	36800FCF5A05FBFF079DDC0A14BA4A7E
SHA1:	D28D213F85ED270008033B1CF11AFF2BA34AFEC5
SHA-256:	574D76BEACD5909B763BF50D513DA443EBB8E4F48A1CDF4D78D6813F0452E38C
SHA-512:	BC70003667C6654B56790DEDAD966C405213B83520D5AE8B36A2F6B132FF0F167ED8479534C96FEDE7A62BBED40DAB72BA88512E926B0640CD9D03324C0A0D43
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.5.6.5.4.9.2.4.6.4.6.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.5.6.5.4.9.5.5.8.9.5.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.8.f.4.3.b.a.-.e.d.0.4.-.4.7.f.b.-.b.b.2.3.-.c.9.b.0.7.e.6.a.e.2.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.a.c.6.1.1.f.-.9.3.8.9.-.4.2.2.e.-.a.5.8.e.-.2.2.5.c.5.e.2.e.4.3.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.7.3.2.3.8.2.8.2.6.5.5.9.c.6.2.d.8.b.8.4.c.0.2.e.9.5.6.3.6.f.4.6.2.1.2.b.9.f.8.0.3.0.8.2.b.7.8.6.8.1.8.7.6.4.4.f.f.f.4.9.2.6.c.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.8.-.0.0.0.1.-.0.0.1.4.-.5.1.b.8.-.1.8.3.4.c.d.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.5.d.7.c.c.c.a.e.e.7.1.b.f.3.b.0.2.a.f.3.5.2.3.4.a.6.0.6.8.3.0.0.0.0.0.f.f.f.f.!.0.0.0.0.0.2.1.7.c.a.a.d.3.6.8.8.f.8.1.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Nov 23 17:29:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	19618
Entropy (8bit):	2.0491734610019687
Encrypted:	false
SSDEEP:	96:5d8T9Rz9y4Voln5J2iiDi7nvTMBM1luS+xWI/WItumZ4mYvm1x:kA2ol32jOvoA+pM+1x
MD5:	9061488E09E7FF00C0920840690554C9
SHA1:	1849EEAAACD924948134F938503082B7DB56D4AD
SHA-256:	A75953A6330E81D0B586D6E6CCA80F29B2D7A5F7D30D556FB1A15444E5B419E0
SHA-512:	767763A2672B1B40431625884998CC0519E44D4EAE8202A5E422A1334451CDCB8B505CFFBA45B81573D9902F101AFE193FDBBA9C36F5911D1185BC65672A8D05
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Bg............4...............<.......d...<...........T.......8...........T...........H...ZC......................................................................................................eJ......L.......GenuineIntel............T.............Bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A09.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	3.706950020509444
Encrypted:	false
SSDEEP:	192:R6l7wVeJn2Mj6D4pOT6YNJSU9MgmfI2IkOJPWOOpxM89brhsfXZm:R6lXJnZ6D4U6YzSU9MgmfIvJPWOArafE
MD5:	5A2D0D0FA22AAE88BFF68966CC2B33E8
SHA1:	62B19BEC778F3E35725EFF62A13927DC867648B8
SHA-256:	9D8FAF29D524CBD558DFC4097969134BDCD17E2E964BBDDF7AE982A04B5751B5
SHA-512:	19D5E3F4E80BF25A57895CA3E3B7A0C1A4E698E6BD1DF57326BBF059C813D3BB4A7319C78F6BA672EF59716E82FD8E474C7CE01BE1E1E4E79634490AA0B444D1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A29.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4893
Entropy (8bit):	4.570379855365422
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg77aI9kvWpW8VYvYm8M4JSnYnEKFxo+q8znNUzvx4n6Ln69d:uIjfPI7i+7V3JomNo4Iv06D69d
MD5:	F0E18F9104D2F9AF22B0C50092A056B0
SHA1:	3EF16E823733AD2D82FAD2E8615FF73215FF716C
SHA-256:	DAF2D158C4DBF2F82F39E9C8C5C43D7D2DA377139300ABC8906DD9FCD7BAFCB4
SHA-512:	F00E9F6029D0246E7C4A866BC3AA1402A4BD510F9AFB9FF20B0775783D31DED90A0AEFC413875A63E062B0F12FB16EC6A089D828DD028FF396F8897A08A16317
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600991" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417198336616993
Encrypted:	false
SSDEEP:	6144:4cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN35+:ti58oSWIZBk2MM6AFBRo
MD5:	F40291DB798FAD4CD3205F2C90710B21
SHA1:	5A5A7EF93584AADBBCD152DCFD8E190CB9B57708
SHA-256:	BEF134594EE90F44A5D5CF2647B365672FB7B557650D7EE9DA43A84C6CB13BA8
SHA-512:	6DCE0FF17A06096C5215EB697B135887B1E742679F169C61881424B47896D210311CF2B95646878D91E2E25762B01B1F9E12FB7A6A18A0E1E62F4DD9BB708A99
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNEE4.=..............................................................................................................................................................................................................................................................................................................................................%.R.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.867260296569302
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe
File size:	321'961 bytes
MD5:	2d7c75f028b353192b3701aa85394937
SHA1:	0217caad3688f814524a1befc7a2c7cac994c11b
SHA256:	ad4efc90ae107111294d887b791c90776d0a0de2f6b4290c9437919430a71672
SHA512:	ce02b16f66faba16715fde855f49b6178a6467629cb181a6acb64046c58221e4c05d8c8388d52664d579ae76972dbdf19cc183b19f7f9921b83342bc550ae817
SSDEEP:	6144:MixCPkE/1cvSqjKctG9DDHMFplU1DD8xbgg/4LWU9pHZ:Nx9E/uKq+Z9DDszU8xDIp
TLSH:	E5647D06D72750A1D8CB4975228EB73BA93B691053388DC3DB8CEBA478675E17C36E07
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...C.2g............................0.............@.......................................@........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x408930
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6732A343 [Tue Nov 12 00:37:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add cl, byte ptr [edi]
mov dh, E8h
imul eax, ebp, 01010101h
mov edi, edx
rep stosd
mov esi, ebx
cmp byte ptr [eax], 00000013h
lodsd
out FCh, al
add esi, edx
mov ecx, ebx
shr ecx, 1
cmp byte ptr [eax], 00000013h
lodsd
loope 00007F808888EDA3h
mov eax, dword ptr [esp+18h]
shl eax, 08h
or eax, ebp
mov edi, esi
rep stosw
test bl, 00000001h
je 00007F808888EDACh
and ebx, 02h
mov eax, dword ptr [esp+18h]
mov byte ptr [esi+ebx], al
mov eax, dword ptr [esp+14h]
pop esi
pop edi
pop ebx
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
mov ecx, dword ptr [esp+10h]
xor eax, eax
test ecx, ecx
je 00007F808888EDBFh
mov edx, dword ptr [esp+08h]
movzx ebx, byte ptr [esp+0Ch]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
cmp byte ptr [edx], bl
je 00007F808888EDA8h
inc edx
dec ecx
jne 00007F808888EDB0h
add al, EBh
js 00007F808888EDFDh
ret
mov eax, edx
pop ebx
ret
int3
int3
mov eax, F0FFFFFFh
loopne 00007F808888EDF0h
mov bh, 8Bh
dec esp
and al, 04h
nop
nop
nop
nop
nop
nop
nop
cmp byte ptr [ecx+eax+01h], 00000000h
lea eax, dword ptr [eax+01h]
jne 00007F808888ED98h
ret
int3
int3
int3
int3
int3
push ebp
push ebx
push edi
push esi
xor eax, eax
mov ecx, dword ptr [esp+1Ch]
mov ebp, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
xor edi, edi
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x40bea	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0x4188	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x40d30	0xb8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3db13	0x3dc00	6cd27aa70ce4fc050e8bcbcdcc9f1369	False	0.5493697811234818	data	6.712150569078424	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x20a1	0x2200	a06e9b1e0abd7eadc56d1d10843fffed	False	0.6353400735294118	data	6.7032113569074765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0x10838	0x6200	d896ba6632056ceab39ac012535c40e1	False	0.5248724489795918	data	6.911045553172638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x53000	0x4	0x200	6b79c882e37f9ca587058c8012527c1d	False	0.525390625	data	4.2082289018907755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0x4188	0x4200	4cd79cbe521e35edfeb5102d9ae41cba	False	0.5780658143939394	data	6.498520241779078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 18:29:13.107800961 CET	1.1.1.1	192.168.2.7	0x86fb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:29:13.107800961 CET	1.1.1.1	192.168.2.7	0x86fb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.211.34	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.211.40	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.66	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.73	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.59.34	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.74	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.56.99	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:30:30.099693060 CET	1.1.1.1	192.168.2.7	0xf06e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.56.101	A (IP address)	IN (0x0001)	false

Analysis Process: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exePID: 6648, Parent PID: 4056

General

Target ID:	4
Start time:	12:29:08
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe"
Imagebase:	0x400000
File size:	321'961 bytes
MD5 hash:	2D7C75F028B353192B3701AA85394937
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:29:09
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 224
Imagebase:	0xd40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exePID: 6648, Parent PID: 4056COMMON

Non-executed Functions

Function 00406091 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6175273edf793e2becee89ebafee79875d2dca3bf1663611e72c48169f2d6c33
Instruction ID: 10122977494ede6b074ec87dd895ec6f67415f5d360792ac0fd7ee26bddeeb8f
Opcode Fuzzy Hash: 6175273edf793e2becee89ebafee79875d2dca3bf1663611e72c48169f2d6c33
Instruction Fuzzy Hash: 64F1E27110C3819FD721CF28C88066BBFE1EF96304F45486EE4C69B392E279E559CB96

Function 0040694B Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f5fda50f7d06c72fcb9b0aeb295703f27b0ce85c76e5db2d2f9179bbdd6d10
Instruction ID: 91639e323ee2ff27fa6bc0131604657f492cab1489cd3739313a0543a05f127c
Opcode Fuzzy Hash: 86f5fda50f7d06c72fcb9b0aeb295703f27b0ce85c76e5db2d2f9179bbdd6d10
Instruction Fuzzy Hash: 7F9138B09087A48FC729DF24C9802A67BF0FF1731071545AFD4D79BA92D238B552CB4A

Function 00402987 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a808257ccdb6e5a2f80500928182385aca82a1b708776bd672790a00a6df08
Instruction ID: cfd9e4414be14dd5580dca914d618563d257a40d81f0b5256d3d6c65ec52e9ee
Opcode Fuzzy Hash: a6a808257ccdb6e5a2f80500928182385aca82a1b708776bd672790a00a6df08
Instruction Fuzzy Hash: F8314BB7F287614BE7188E259C851877791AB97320B1D117BDD81E73D2C6B9E806C288

Function 00409716 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51af8026d38e4162f13e3c7f2c88a3e2630c6966892ff872edcd2c154a74086e
Instruction ID: 9d60097c63d15278ab6b12b8761ad6844a56f040a4e86024bd49c7580a423497
Opcode Fuzzy Hash: 51af8026d38e4162f13e3c7f2c88a3e2630c6966892ff872edcd2c154a74086e
Instruction Fuzzy Hash: 2A2135B255A3858FE3216A248D457BA7B909F67310F2CC47FD985AB3C3D1388D06931A

Function 0040978C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a0bd3a8e4587986748adc948eff278788eddd4472d43eefccc1328aaaa03fb
Instruction ID: bfaa69f38012ff25aaaeeb77a7b02edfb3d9c1891fe1b45ce7771a4f4b86c221
Opcode Fuzzy Hash: c6a0bd3a8e4587986748adc948eff278788eddd4472d43eefccc1328aaaa03fb
Instruction Fuzzy Hash: 7C1138766193449FE3245A208D417AAB7D5DF97320F2CC57EDA84AB3C3C6399C06831A

Function 0043E5E9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545128461.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2545051402.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545283580.000000000043F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545360436.0000000000440000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545440625.0000000000441000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545518835.0000000000442000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2545584245.0000000000453000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a533.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b739ac3f74f45a4085b22afd5582117c939914b0d8ae4529f7d91fcc7ed70a
Instruction ID: 3e1478b96db13d4db409c00200ba5ef1b55127737737010a9e9344fdd16f87b2
Opcode Fuzzy Hash: 28b739ac3f74f45a4085b22afd5582117c939914b0d8ae4529f7d91fcc7ed70a
Instruction Fuzzy Hash: ACF078B5E0A2604BC3084E36C85856ABB72DBC7205F99C42DE9C40BBC9C9758902C71B

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1732382826559c62_c9e6802a6b8064fb6ff81fe4b92118b45f1fd583_4ee20893_e28f43ba-ed04-47fb-bb23-c9b07e6ae222\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A09.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A29.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exe