Edit tour

Windows Analysis Report
hwPMkWBZ6O.exe

Overview

General Information

Sample name:	hwPMkWBZ6O.exe renamed because original name is a hash value
Original sample name:	2024-06-08_4f7c96df26709451ade16a8703b546df_avoslocker.exe
Analysis ID:	1562216
MD5:	4f7c96df26709451ade16a8703b546df
SHA1:	4cccded38fbfe2bc528be05389a0e7ab1bb18bb7
SHA256:	1e4053448fa8dbcee9851ea62a6399bda2d8188b6ac3a0093b5a0049fa9be3e4
Tags:	exemalwareRansomwareuser-Joker
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Detected potential crypto function

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hwPMkWBZ6O.exe (PID: 4072 cmdline: "C:\Users\user\Desktop\hwPMkWBZ6O.exe" MD5: 4F7C96DF26709451ADE16A8703B546DF)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hwPMkWBZ6O.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: hwPMkWBZ6O.exe

ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: hwPMkWBZ6O.exe

Joe Sandbox ML: detected

Source: hwPMkWBZ6O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: MidlRT.pdb source: hwPMkWBZ6O.exe
Source:	Binary string: MidlRT.pdbGCTL source: hwPMkWBZ6O.exe

Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_00407D6C	0_2_00407D6C
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_00403EA0	0_2_00403EA0
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_00405BB5	0_2_00405BB5
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_004014B6	0_2_004014B6

Source: hwPMkWBZ6O.exe	Binary or memory string: OriginalFilename vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe, 00000000.00000000.2111814165.0000000000551000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe, 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe	Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe

Source: hwPMkWBZ6O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hwPMkWBZ6O.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: hwPMkWBZ6O.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal60.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03

Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hwPMkWBZ6O.exe

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\hwPMkWBZ6O.exe "C:\Users\user\Desktop\hwPMkWBZ6O.exe"
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe

Section loaded: midlrtmd.dll

Jump to behavior

Source: hwPMkWBZ6O.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hwPMkWBZ6O.exe

Static file information: File size 2082816 > 1048576

Source: hwPMkWBZ6O.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x145200

Source: hwPMkWBZ6O.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: MidlRT.pdb source: hwPMkWBZ6O.exe
Source:	Binary string: MidlRT.pdbGCTL source: hwPMkWBZ6O.exe

Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_0040BF5A push eax; iretd	0_2_0040BF65
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_00413164 pushfd ; ret	0_2_00413165
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_0040BF66 pushad ; iretd	0_2_0040BF71
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_004112F9 pushad ; iretd	0_2_004113F9
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe	Code function: 0_2_0041119F push eax; ret	0_2_004111AD

Source: hwPMkWBZ6O.exe

Static PE information: section name: .reloc entropy: 7.901129109347179

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Software Packing	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hwPMkWBZ6O.exe	84%	ReversingLabs	Win32.Virus.Expiro
hwPMkWBZ6O.exe	100%	Avira	W32/Infector.Gen
hwPMkWBZ6O.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562216
Start date and time:	2024-11-25 10:59:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hwPMkWBZ6O.exe renamed because original name is a hash value
Original Sample Name:	2024-06-08_4f7c96df26709451ade16a8703b546df_avoslocker.exe
Detection:	MAL
Classification:	mal60.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hwPMkWBZ6O.exe, PID 4072 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: hwPMkWBZ6O.exe

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.213390277350323
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hwPMkWBZ6O.exe
File size:	2'082'816 bytes
MD5:	4f7c96df26709451ade16a8703b546df
SHA1:	4cccded38fbfe2bc528be05389a0e7ab1bb18bb7
SHA256:	1e4053448fa8dbcee9851ea62a6399bda2d8188b6ac3a0093b5a0049fa9be3e4
SHA512:	2343c707047701868e4ba6af3ab085db5ea1997c1a36ff92c3702748381a33a06d5c8c017a59d213d058940c2d3fd8f27ebdeddb97fcf0c3a816696b6beeca04
SSDEEP:	49152:satQfOOwViT2YcsSo3ZH4BkNpvOoROs0hxtz7CNtcW+S8:nV62YcsSo3ZH4qNUkOHhxtk8
TLSH:	E3A5BE3275D0A4B7E122313087AAE361546ECA30676285C733DCC77E1FB5AC1993A79B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...]...\.......\...X...\..._...\...]...\...].a.\...U...\...Y...\.......\...^...\.Rich..\.........PE..L......+...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5261e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2BA913AD [Fri Mar 19 00:28:29 1993 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	222bb63698d5e056823213878b2e8268

Entrypoint Preview

Instruction
call 00007F223CD53690h
jmp 00007F223CC766DDh
cmp ecx, dword ptr [0054C1E0h]
jne 00007F223CC76875h
ret
jmp 00007F223CC76E1Dh
jmp 00007F223CBB3269h
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F223CBB325Ch
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
pop ebp
jmp 00007F223CBB3219h
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00402760h
je 00007F223CC76879h
push esi
call 00007F223CBB322Fh
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
call 00007F223CC76897h
push 00000000h
call 00007F223CC76B9Eh
pop ecx
test al, al
je 00007F223CC76880h
push 00526370h
call 00007F223CC76D47h
pop ecx
xor eax, eax
ret
push 00000007h
call 00007F223CC77113h
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFFh
push 00532A3Ch
mov eax, dword ptr fs:[00000000h]
push eax
push ebx
push esi
push edi
mov eax, dword ptr [0054C1E0h]
xor eax, ebp
push eax
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
push 00000FA0h
push 0054CEACh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1512b0	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x153000	0x113e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x60e80	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1349c	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x133f0	0xac	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x151000	0x2ac	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14502c	0x145200	b16132fbba378059313e57ab8b37bf53	False	0.46127465998654366	data	6.6190072289557484	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x147000	0x9a60	0x5a00	359378f0ad35802ad84faf15b313c91e	False	0.20512152777777778	data	4.209294138396472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x151000	0x1244	0x1400	9cb624e74ec1d70e05c0cd2b5d548df4	False	0.4013671875	data	5.273728621570615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x153000	0x113e8	0x11400	395fd077ac77a4cd2c80e8f2c67ceff1	False	0.11278589221014493	data	5.5043757958330595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x165000	0xa0000	0x9f000	747d1e7a9cdf3b73225d9655b4626054	False	0.9348466981132075	data	7.901129109347179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CODEFRAGMENT	0x154710	0x19d	ASCII text, with CRLF line terminators	English	United States	0.6343825665859564
CODEFRAGMENT	0x1548b0	0x21d	ASCII text, with CRLF line terminators	English	United States	0.5489833641404805
CODEFRAGMENT	0x154ad0	0x3f3	ASCII text, with CRLF line terminators	English	United States	0.4124629080118694
CODEFRAGMENT	0x154ec8	0xa0	ASCII text, with CRLF line terminators	English	United States	0.89375
CODEFRAGMENT	0x154f68	0x1b7	ASCII text, with CRLF line terminators	English	United States	0.5535307517084282
CODEFRAGMENT	0x155120	0xd8	ASCII text, with CRLF line terminators	English	United States	0.7407407407407407
CODEFRAGMENT	0x1551f8	0x1aa	ASCII text, with CRLF line terminators	English	United States	0.636150234741784
CODEFRAGMENT	0x1553a8	0x24f	ASCII text, with CRLF line terminators	English	United States	0.5363790186125211
CODEFRAGMENT	0x154628	0xe5	ASCII text, with CRLF line terminators	English	United States	0.5327510917030568
CODEFRAGMENT	0x1555f8	0x13a	ASCII text, with CRLF line terminators	English	United States	0.6910828025477707
CODEFRAGMENT	0x155738	0x132	ASCII text, with CRLF line terminators	English	United States	0.6830065359477124
CODEFRAGMENT	0x155870	0x10e	ASCII text, with CRLF line terminators	English	United States	0.7222222222222222
CODEFRAGMENT	0x155980	0x16f	ASCII text, with CRLF line terminators	English	United States	0.5967302452316077
CODEFRAGMENT	0x155af0	0x1e1	ASCII text, with CRLF line terminators	English	United States	0.6257796257796258
CODEFRAGMENT	0x155cd8	0xf8	ASCII text, with CRLF line terminators	English	United States	0.7096774193548387
CODEFRAGMENT	0x155dd0	0x26a	ASCII text, with CRLF line terminators	English	United States	0.4110032362459547
CODEFRAGMENT	0x156040	0x1bc	Generic INItialization configuration [propput]	English	United States	0.6081081081081081
CODEFRAGMENT	0x156200	0x298	Generic INItialization configuration [propput]	English	United States	0.4382530120481928
CODEFRAGMENT	0x156498	0x27a	Generic INItialization configuration [propput]	English	United States	0.45110410094637227
CODEFRAGMENT	0x156718	0x109	ASCII text, with CRLF line terminators	English	United States	0.7018867924528301
CODEFRAGMENT	0x156828	0x109	ASCII text, with CRLF line terminators	English	United States	0.7094339622641509
CODEFRAGMENT	0x156938	0xe5	ASCII text, with CRLF line terminators	English	United States	0.759825327510917
CODEFRAGMENT	0x156a20	0xf7	ASCII text, with CRLF line terminators	English	United States	0.7408906882591093
CODEFRAGMENT	0x156b18	0xf7	ASCII text, with CRLF line terminators	English	United States	0.7327935222672065
CODEFRAGMENT	0x156c10	0xf8	ASCII text, with CRLF line terminators	English	United States	0.7540322580645161
CODEFRAGMENT	0x156d08	0x122	ASCII text, with CRLF line terminators	English	United States	0.7517241379310344
CODEFRAGMENT	0x156e30	0x12f	ASCII text, with CRLF line terminators	English	United States	0.7128712871287128
CODEFRAGMENT	0x156f60	0x363	ASCII text, with CRLF line terminators	English	United States	0.461361014994233
CODEFRAGMENT	0x157368	0xa7	ASCII text, with CRLF line terminators	English	United States	0.8802395209580839
CODEFRAGMENT	0x1572c8	0x9e	ASCII text, with CRLF line terminators	English	United States	0.8860759493670886
CODEFRAGMENT	0x157410	0x3de	ASCII text, with CRLF line terminators	English	United States	0.4898989898989899
CODEFRAGMENT	0x1577f0	0xea	ASCII text, with CRLF line terminators	English	United States	0.6752136752136753
CODEFRAGMENT	0x157c28	0xcb8	C source, ASCII text, with CRLF line terminators	English	United States	0.23617936117936117
CODEFRAGMENT	0x1588e0	0x11b3	C source, ASCII text, with CRLF line terminators	English	United States	0.20635621275656588
CODEFRAGMENT	0x159a98	0x756	C source, ASCII text, with CRLF line terminators	English	United States	0.29659211927582535
CODEFRAGMENT	0x15a1f0	0xa7b	C source, ASCII text, with CRLF line terminators	English	United States	0.2616474096161014
CODEFRAGMENT	0x15ac70	0x7e1	C source, ASCII text, with CRLF line terminators	English	United States	0.2949925632126921
CODEFRAGMENT	0x15b458	0xa21	C source, ASCII text, with CRLF line terminators	English	United States	0.26764365599691475
CODEFRAGMENT	0x15be80	0xc19	C source, ASCII text, with CRLF line terminators	English	United States	0.24572166612851146
CODEFRAGMENT	0x15caa0	0x847	C source, ASCII text, with CRLF line terminators	English	United States	0.2888154789995281
CODEFRAGMENT	0x15d2e8	0x83e	C source, ASCII text, with CRLF line terminators	English	United States	0.2881516587677725
CODEFRAGMENT	0x15db28	0x47c	C source, ASCII text, with CRLF line terminators	English	United States	0.382404181184669
CODEFRAGMENT	0x15dfa8	0x51c	C source, ASCII text, with CRLF line terminators	English	United States	0.36162079510703365
CODEFRAGMENT	0x15e4c8	0x7f3	C source, ASCII text, with CRLF line terminators	English	United States	0.28697788697788695
CODEFRAGMENT	0x15ecc0	0x8d2	C source, ASCII text, with CRLF line terminators	English	United States	0.27723649247121346
CODEFRAGMENT	0x15f598	0xabd	C source, ASCII text, with CRLF line terminators	English	United States	0.24190614769006913
CODEFRAGMENT	0x160058	0xa78	C source, ASCII text, with CRLF line terminators	English	United States	0.24440298507462688
CODEFRAGMENT	0x160ad0	0x4a1	C source, ASCII text, with CRLF line terminators	English	United States	0.3729957805907173
CODEFRAGMENT	0x160f78	0x4c3	C source, ASCII text, with CRLF line terminators	English	United States	0.38720262510254305
CODEFRAGMENT	0x161440	0x487	C source, ASCII text, with CRLF line terminators	English	United States	0.3925798101811907
CODEFRAGMENT	0x1618c8	0x478	C source, ASCII text, with CRLF line terminators	English	United States	0.38286713286713286
CODEFRAGMENT	0x161d40	0x48d	C source, ASCII text, with CRLF line terminators	English	United States	0.37510729613733906
CODEFRAGMENT	0x1621d0	0x744	C source, ASCII text, with CRLF line terminators	English	United States	0.30591397849462365
CODEFRAGMENT	0x162918	0x77d	C source, ASCII text, with CRLF line terminators	English	United States	0.3072509128847157
CODEFRAGMENT	0x163098	0xfb	ASCII text, with CRLF line terminators	English	United States	0.8007968127490039
CODEFRAGMENT	0x163198	0x276	C source, ASCII text, with CRLF line terminators	English	United States	0.5746031746031746
CODEFRAGMENT	0x163808	0x402	C source, ASCII text, with CRLF line terminators	English	United States	0.38693957115009747
CODEFRAGMENT	0x163410	0x3f1	C source, ASCII text, with CRLF line terminators	English	United States	0.38850346878097125
CODEFRAGMENT	0x1578e0	0x343	C++ source, ASCII text, with CRLF line terminators	English	United States	0.5401197604790419
CODEFRAGMENT	0x163c10	0x146	ASCII text, with CRLF line terminators	English	United States	0.5674846625766872
CODEFRAGMENT	0x163d58	0x347	ASCII text, with CRLF line terminators	English	United States	0.3706793802145411
CODEFRAGMENT	0x1640a0	0xfe	ASCII text, with CRLF line terminators	English	United States	0.46062992125984253
CODEFRAGMENT	0x1641a0	0x246	ASCII text, with CRLF line terminators	English	United States	0.3247422680412371
RT_VERSION	0x154288	0x39c	OpenPGP Secret Key	English	United States	0.4523809523809524
RT_MANIFEST	0x153cb0	0x5d3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.36217303822937624

Imports

DLL	Import
KERNEL32.dll	GetStdHandle, WaitForSingleObject, CloseHandle, CreateProcessA, GetExitCodeProcess, GetShortPathNameA, GetEnvironmentVariableA, GetLastError, lstrcmpiA, GetSystemDefaultLCID, IsDBCSLeadByteEx, GetLocaleInfoA, CompareStringOrdinal, MultiByteToWideChar, WideCharToMultiByte, SizeofResource, WriteFile, FindResourceA, SetCurrentDirectoryA, LoadResource, FindFirstFileExW, FindClose, GetCommandLineW, GetCommandLineA, LocalFree, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, GetCurrentDirectoryA, FormatMessageA, CreateMutexExW, OpenSemaphoreW, GetFileAttributesA, ReleaseMutex, GetFileAttributesW, GetTempFileNameA, GetProcAddress, GetModuleHandleA, CompareStringA, LockResource, DebugBreak, InitOnceExecuteOnce, FormatMessageW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, ReadFile, GetConsoleMode, ReadConsoleW, CreateFileW, GetFileType, GetDriveTypeW, GetSystemTimeAsFileTime, DuplicateHandle, GetFullPathNameW, ExitProcess, FreeLibrary, GetModuleHandleW, GetModuleHandleExW, HeapAlloc, HeapReAlloc, HeapFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStartupInfoW, FlushFileBuffers, GetConsoleOutputCP, RaiseException, SetStdHandle, SetFilePointerEx, SetEndOfFile, DeleteFileW, MoveFileExW, GetFileSizeEx, GetCurrentDirectoryW, GetFileAttributesExW, GetProcessHeap, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetModuleFileNameW, CreateProcessW, WriteConsoleW, OutputDebugStringW, HeapSize, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, QueryPerformanceCounter, GetCurrentProcessId, InitializeSListHead, RtlUnwind, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LoadLibraryExA, GetModuleFileNameA, CreateSemaphoreExW, ReleaseSemaphore, FindNextFileW
ole32.dll	OleUninitialize, CoInitialize, StringFromGUID2, CoUninitialize, OleInitialize
RPCRT4.dll	RpcStringFreeA, UuidToStringA
bcrypt.dll	BCryptDestroyHash, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptGetProperty, BCryptHashData, BCryptCreateHash, BCryptOpenAlgorithmProvider
api-ms-win-core-path-l1-1-0.dll	PathCchFindExtension, PathCchAddBackslash, PathCchCanonicalizeEx, PathCchRemoveFileSpec, PathCchRenameExtension, PathCchRemoveExtension
SHLWAPI.dll	PathIsRelativeA, PathIsRelativeW, SHCreateStreamOnFileEx
ADVAPI32.dll	TraceEvent
OLEAUT32.dll	VariantClear, SysAllocString, LoadTypeLibEx, LHashValOfNameSys, SysFreeString
MidlrtMd.dll	CreatePEFile, MetaDataGetDispenser

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:59:58
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\hwPMkWBZ6O.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hwPMkWBZ6O.exe"
Imagebase:	0x400000
File size:	2'082'816 bytes
MD5 hash:	4F7C96DF26709451ADE16A8703B546DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	04:59:58
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00407D6C Relevance: 11.8, Strings: 8, Instructions: 1820COMMON

Download Yara Rule

Strings

DefaultCase : [ KWDEFAULT ] MemberDeclaration , xrefs: 004083F5
OneAttributeWithDefault : SimpleContractAttribute , xrefs: 00408665
NidlUnionBody : NidlUnionCases , xrefs: 00408405
OneAttributeWithDefault : ContractVersionAttribute , xrefs: 00408660, 00408661
OneAttributeWithDefault : OdlAttribute , xrefs: 0040865D
OneAttributeWithDefault : OperationAttribute , xrefs: 00408659
OneAttributeWithDefault : CustomAttributeUse , xrefs: 00408669
OneAttributeWithDefault : FromContractAttribute , xrefs: 0040866D

Memory Dump Source

Source File: 00000000.00000002.3349125478.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3349108151.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349236541.0000000000547000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.0000000000551000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349311988.0000000000565000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hwPMkWBZ6O.jbxd

Similarity

API ID:
String ID: DefaultCase : [ KWDEFAULT ] MemberDeclaration $NidlUnionBody : NidlUnionCases $OneAttributeWithDefault : ContractVersionAttribute $OneAttributeWithDefault : CustomAttributeUse $OneAttributeWithDefault : FromContractAttribute $OneAttributeWithDefault : OdlAttribute $OneAttributeWithDefault : OperationAttribute $OneAttributeWithDefault : SimpleContractAttribute
API String ID: 0-2238874750
Opcode ID: 1698cc077c24d653698e18fac25b951681d5f5a8eb7224578418dfa7e5a2f21c
Instruction ID: 19e1a6836d8aebd14907579656854402bad9524ab0abf0741234b7148fd80153
Opcode Fuzzy Hash: 1698cc077c24d653698e18fac25b951681d5f5a8eb7224578418dfa7e5a2f21c
Instruction Fuzzy Hash: 61D2524058E3D10FD3278B6409BA5DABF60AEA312435A97EFC5C20BCA3E54D885BC357

Function 004014B6 Relevance: 2.3, Instructions: 2306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3349125478.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3349108151.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349236541.0000000000547000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.0000000000551000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349311988.0000000000565000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hwPMkWBZ6O.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5065b86b031a83ed259657acd56524d703b5f0e92f6b3668a2d0b564f017d5b2
Instruction ID: aaab05739e40763d5f833645f9d053007fad5f5f69087e365689bc844ff6475b
Opcode Fuzzy Hash: 5065b86b031a83ed259657acd56524d703b5f0e92f6b3668a2d0b564f017d5b2
Instruction Fuzzy Hash: BF03999548E7C11FE71787701C7A695BF70AE53228B1E86DFC8C68A4A3D24D894BC363

Function 00405BB5 Relevance: 1.3, Instructions: 1263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3349125478.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3349108151.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349236541.0000000000547000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.0000000000551000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349311988.0000000000565000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hwPMkWBZ6O.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757569403760b21852206191aaaae72ce9c512ff52663bd5584f218e20b1cc13
Instruction ID: 50341890006d49cd0f394ef5738cf47c07f2f279fe5a236f18141fee0910f5cb
Opcode Fuzzy Hash: 757569403760b21852206191aaaae72ce9c512ff52663bd5584f218e20b1cc13
Instruction Fuzzy Hash: A782075069E7E15FD303867849B96C9BF60EF9310831B51EFC5C64B8A3D6848C9BC36A

Function 00403EA0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3349125478.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3349108151.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349236541.0000000000547000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349256436.0000000000551000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3349311988.0000000000565000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hwPMkWBZ6O.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32112b7529e4b2e973b43135a387a6ab2b448f9146f75dde1d98b40621e18ff
Instruction ID: 4177ded3e10064d9f4a77240e7dd8e27b739411d6439add5aef0f783dbc0b8f3
Opcode Fuzzy Hash: e32112b7529e4b2e973b43135a387a6ab2b448f9146f75dde1d98b40621e18ff
Instruction Fuzzy Hash: C2A1C44026EBF00FD327C32848F96E23F54DE9715931A61EFCAC24A4A3E5944857C7A7

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hwPMkWBZ6O.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: hwPMkWBZ6O.exePID: 4072, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 5552, Parent PID: 4072

General

Chronological Activities

Disassembly

Analysis Process: hwPMkWBZ6O.exePID: 4072, Parent PID: 4004COMMON

Non-executed Functions

Function 00407D6C Relevance: 11.8, Strings: 8, Instructions: 1820COMMON

Function 004014B6 Relevance: 2.3, Instructions: 2306COMMON

Function 00405BB5 Relevance: 1.3, Instructions: 1263COMMON

Function 00403EA0 Relevance: .4, Instructions: 356COMMON

Windows Analysis Report
hwPMkWBZ6O.exe