Edit tour

Windows Analysis Report
SGIART9.exe

Overview

General Information

Sample name:	SGIART9.exe
Analysis ID:	1417156
MD5:	0a404629a2a8a1185c3048d164f7eca2
SHA1:	c40fee8f8a0247359a05c9db8be6fb66ca65b452
SHA256:	5f7a67bd387dfc4c9d750cdc0ced3e4efb37dcc918a0ce4869f3561b88944873

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SGIART9.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\SGIART9.exe" MD5: 0A404629A2A8A1185C3048D164F7ECA2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SGIART9.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\SGIART9.exe	Code function: 1_2_00401198		1_2_00401198
Source: C:\Users\user\Desktop\SGIART9.exe	Code function: 1_2_00401244		1_2_00401244

Source: SGIART9.exe	Binary or memory string: OriginalFilename vs SGIART9.exe
Source: SGIART9.exe, 00000001.00000002.3423110448.000000000042A000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePBRUSH.EXEj% vs SGIART9.exe
Source: SGIART9.exe	Binary or memory string: OriginalFilenamePBRUSH.EXEj% vs SGIART9.exe

Source: C:\Users\user\Desktop\SGIART9.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SGIART9.exe	Section loaded: vb40032.dll			Jump to behavior

Source: SGIART9.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: SGIART9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SGIART9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SGIART9.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SGIART9.exe

Static file information: File size 1283072 > 1048576

Source: SGIART9.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x122a00

Source: C:\Users\user\Desktop\SGIART9.exe	Code function: 1_2_004154BB push es; ret	1_2_004154C0
Source: C:\Users\user\Desktop\SGIART9.exe	Code function: 1_2_00415B67 push ds; iretd	1_2_00415B71
Source: C:\Users\user\Desktop\SGIART9.exe	Code function: 1_2_00415B6C push ds; iretd	1_2_00415B71

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SGIART9.exe	5%	ReversingLabs
SGIART9.exe	3%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417156
Start date and time:	2024-03-28 17:19:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SGIART9.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SGIART9.exe, PID 3852 because there are no executed function

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.593662939621002
TrID:	Win32 Executable (generic) a (10002005/4) 96.61% Win32 Executable Microsoft Visual Basic 4 (333391/15) 3.22% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SGIART9.exe
File size:	1'283'072 bytes
MD5:	0a404629a2a8a1185c3048d164f7eca2
SHA1:	c40fee8f8a0247359a05c9db8be6fb66ca65b452
SHA256:	5f7a67bd387dfc4c9d750cdc0ced3e4efb37dcc918a0ce4869f3561b88944873
SHA512:	c8b41c996f66af9df25ec9b313c17d8ff7abe68b2b53e118e4cc467dc1090a5c9b90650ffd0ee7b51ed02803083970dac1f70a0230d7654e3b76e36c15f96e75
SSDEEP:	24576:pIzhlr97NFmJjPHW0iQpLmGJnIHgtzQyVgodt:psqjcGJIHgtz/Vgo7
TLSH:	4855F67296279A17C5D32B70EB8BC1101D2D3D8E7E33C653B1287269AA33102AD567FD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)F.................0...................@....@........................................................................

File Icon


Icon Hash:	9299ececb6a6acd2

Static PE Info

General

Entrypoint:	0x401198
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x46290CC4 [Fri Apr 20 18:56:04 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	74f34a3b1e38a361829bcf0cdb946308

Entrypoint Preview

Instruction
push 00415C70h
call 00007F273D4A9985h
add byte ptr [eax], al
les edx, fword ptr [ecx+41h]
add byte ptr [ecx+edx*2+51940041h], dh
inc ecx
add byte ptr [ecx+edx*2+41h], ah
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [ebx-251676EAh], dh
inc ebp
sbb edx, dword ptr [eax]
mov cl, 76h
or byte ptr [eax], al
sub esi, dword ptr [ebx]
outsd
pushad
sub eax, 10000300h
add byte ptr [eax], al
add ah, dh
adc eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov byte ptr [edx], 0000004Dh
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [edx-251676EAh], dh
inc ebp
sbb edx, dword ptr [eax]
mov cl, 76h
or byte ptr [eax], al
sub esi, dword ptr [ebx]
outsd
pushad
inc edx
add byte ptr [ebx], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [ecx+edx+00000040h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
fild word ptr [edx]
dec ebp
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [edx-251676EAh], dh
inc ebp
sbb edx, dword ptr [eax]
mov cl, 76h
or byte ptr [eax], al
sub esi, dword ptr [ebx]
outsd
pushad
xor al, byte ptr [eax]
add eax, dword ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
test byte ptr [edi], dl
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bl
add eax, 0003004Dh
add byte ptr [eax], al
mov bl, 16h
mov ecx, ebp
fiadd dword ptr [ebp+1Bh]
adc byte ptr [ecx+2B000876h], dh
xor ebp, dword ptr [edi+60h]
push ss
add byte ptr [ebx], al
add byte ptr [eax], dl
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x131000	0x28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x125000	0xbd78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0xa35c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x123900	0xb	.text
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x240	0x1c
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x123000	0x122a00	db81d166cb95214200d0ab65c40ee0d8	False	0.2939180107526882	data	5.481469643936214	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss	0x124000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x125000	0xc000	0xbe00	503797293ad38623cf7f1fc4cd146438	False	0.35047286184210524	data	4.926783178900168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x131000	0x1000	0x400	0110ab2b27565333dd80968c69c835f7	False	0.4091796875	data	3.6667890631988054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0xb000	0xa400	73949eab857563b837365fcea5261ec9	False	0.7158679496951219	data	6.465663215252826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
TYPELIB	0x126700	0x5588	data	0.44172451589331385
_IID_COLORPALL	0x126610	0x14	data	1.45
_IID_FONTADD	0x126570	0x14	data	1.45
_IID_FORM1	0x1266ec	0x14	data	1.45
_IID_FORM2	0x1266c4	0x14	data	1.4
_IID_FORM3	0x1266b0	0x14	data	1.45
_IID_FORM4	0x12669c	0x14	data	1.45
_IID_FORM5	0x12664c	0x14	data	1.45
_IID_FORMATT	0x126598	0x14	data	1.45
_IID_FORMDIST	0x1265d4	0x14	data	1.45
_IID_FORMDUBLE5	0x1265c0	0x14	data	1.45
_IID_FORMFONTIM	0x126688	0x14	data	1.45
_IID_FORMGRANGLE	0x126584	0x14	data	1.4
_IID_FORMGRID	0x126674	0x14	data	1.4
_IID_FORMHWY	0x1265ac	0x14	data	1.45
_IID_FORMIMPORT	0x126660	0x14	data	1.4
_IID_FORMOPEN	0x126638	0x14	data	1.4
_IID_FORMPLOT	0x12655c	0x14	data	1.4
_IID_FORMREPEAT	0x1265fc	0x14	data	1.45
_IID_FORMSP	0x126624	0x14	data	1.45
_IID_FRMABOUT	0x1266d8	0x14	data	1.4
_IID_FRMEDITOR	0x1265e8	0x14	data	1.4
_IID_FRMSPELL	0x126534	0x14	data	1.45
_IID_FRMWAITP	0x126548	0x14	data	1.45
RT_ICON	0x12624c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.23387096774193547
RT_STRING	0x1308a8	0x4d0	data	0.3952922077922078
RT_STRING	0x130474	0x434	data	0.4191449814126394
RT_STRING	0x130118	0x35c	data	0.4441860465116279
RT_STRING	0x12fbd8	0x540	data	0.3645833333333333
RT_STRING	0x12f5a0	0x638	data	0.39824120603015073
RT_STRING	0x12f2e0	0x2c0	data	0.3252840909090909
RT_STRING	0x12f000	0x2e0	data	0.296195652173913
RT_STRING	0x12eb94	0x46c	data	0.19964664310954064
RT_STRING	0x12e7a0	0x3f4	data	0.27964426877470355
RT_STRING	0x12e6cc	0xd4	data	0.5094339622641509
RT_STRING	0x12e5f8	0xd4	data	0.47641509433962265
RT_STRING	0x12e258	0x3a0	data	0.3566810344827586
RT_STRING	0x12c754	0xf0	data	0.5375
RT_STRING	0x12bc88	0x98	data	0.5657894736842105
RT_STRING	0x12e170	0xe8	data	0.49137931034482757
RT_STRING	0x12dd0c	0x84	data	0.5606060606060606
RT_STRING	0x12e118	0x58	data	0.5227272727272727
RT_STRING	0x12dde0	0x338	data	0.279126213592233
RT_STRING	0x12dd90	0x50	data	0.6875
RT_STRING	0x12db20	0x1ec	data	0.45528455284552843
RT_STRING	0x12ce0c	0x170	data	0.5652173913043478
RT_STRING	0x12cf7c	0xc8	data	0.55
RT_STRING	0x12d7b0	0x370	data	0.44545454545454544
RT_STRING	0x12d49c	0x314	data	0.45685279187817257
RT_STRING	0x12d044	0x458	data	0.3902877697841727
RT_STRING	0x12bd20	0x3c4	data	0.3983402489626556
RT_STRING	0x12c844	0x298	data	0.42771084337349397
RT_STRING	0x12cadc	0x330	data	0.4375
RT_STRING	0x12c534	0x220	data	0.45588235294117646
RT_STRING	0x12c2d8	0x25c	data	0.4602649006622517
RT_STRING	0x12c0e4	0x1f4	data	0.524
RT_GROUP_ICON	0x126238	0x14	data	1.25
RT_VERSION	0x126018	0x220	data	0.5110294117647058

Imports

DLL	Import
VB40032.DLL

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SGIART9.exePID: 3852, Parent PID: 4004

General

Target ID:	1
Start time:	17:19:55
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\SGIART9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SGIART9.exe"
Imagebase:	0x400000
File size:	1'283'072 bytes
MD5 hash:	0A404629A2A8A1185C3048D164F7ECA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SGIART9.exePID: 3852, Parent PID: 4004COMMON

Non-executed Functions

Function 00401198 Relevance: 3.8, APIs: 1, Instructions: 2320COMMON

Download Yara Rule

APIs

#100.VB40032(00415C70), ref: 0040119D

Memory Dump Source

Source File: 00000001.00000002.3423110448.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3423089822.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423110448.000000000040C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423110448.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423110448.0000000000508000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423228885.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423243353.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3423255679.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SGIART9.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: fa7056baa48721a4097e31f5c2b40921648737db342e2ffeb796e24489242d5b
Instruction ID: b0c3218cf1a7f83b2754b7bc71f5b890679a1ebb43aad00f5e8503c677b36880
Opcode Fuzzy Hash: fa7056baa48721a4097e31f5c2b40921648737db342e2ffeb796e24489242d5b
Instruction Fuzzy Hash: D4C2056110E7C54FCB078B788CB96817FB1AE0321871E45EBC4C1CF1A7E668A95ED762

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SGIART9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SGIART9.exePID: 3852, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: SGIART9.exePID: 3852, Parent PID: 4004COMMON

Non-executed Functions

Function 00401198 Relevance: 3.8, APIs: 1, Instructions: 2320COMMON

Windows Analysis Report
SGIART9.exe