Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Analysis ID:	1417470
MD5:	04c989d29336fb35d0acf623b8bcf64c
SHA1:	67c95f5de71452deb7843c9ac2880340c50e4a28
SHA256:	ad132be05b5588ba7a292e3ae2faab0401f5380bbd4796483d45df99dc1500e9
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Installs Task Scheduler Managed Wrapper

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe" MD5: 04C989D29336FB35D0ACF623B8BCF64C)

RuntimeBroker.exe (PID: 4508 cmdline: "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe" MD5: 04C989D29336FB35D0ACF623B8BCF64C)

RuntimeBroker.exe (PID: 4200 cmdline: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe MD5: 04C989D29336FB35D0ACF623B8BCF64C)

cleanup

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, ProcessId: 6784, TargetFilename: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, ParentProcessId: 6784, ParentProcessName: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe" , ProcessId: 4508, ProcessName: RuntimeBroker.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 77.38.200.133:6969

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: xn--80aa3a1a9c.online

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RuntimeBroker.exe, 00000002.00000002.3327883889.000001CB299A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Keyboard.cs	.Net Code: SetHook
Source: RuntimeBroker.exe.0.dr, Keyboard.cs	.Net Code: SetHook

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AE369	2_2_00007FFD348AE369
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4B8	2_2_00007FFD348AC4B8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A8	2_2_00007FFD348AC4A8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A0	2_2_00007FFD348AC4A0
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC578	2_2_00007FFD348AC578
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A1968	2_2_00007FFD348A1968
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A0F50	2_2_00007FFD348A0F50
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC660	2_2_00007FFD348AC660
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC6D3	2_2_00007FFD348AC6D3
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC43F	2_2_00007FFD348AC43F
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C2399	3_2_00007FFD348C2399
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1518	3_2_00007FFD348C1518
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1430	3_2_00007FFD348C1430

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll 74FE1A6A1E36BE7D893E31BBB4D4BD83BF4B927E715276CD5607982139818EBD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D

Source: RuntimeBroker.exe.0.dr	Static PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2082156882.0000020C41424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074337572.0000020C26EAA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: RuntimeBroker.exe.0.dr, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: RuntimeBroker.exe.0.dr, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal88.spyw.evad.winEXE@4/5@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: File size 1075712 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: 0xBF843D4D [Mon Oct 26 19:51:41 2071 UTC]

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A7870 pushad ; retf	2_2_00007FFD348A789D
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A789E push eax; retf	2_2_00007FFD348A78AD
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A030E push E95D947Dh; ret	2_2_00007FFD348A0329

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C271E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C40B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB27F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB419A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224AB630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224C3630000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe TID: 3856

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RuntimeBroker.exe, 00000003.00000002.3327179086.00000224A9AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Lo
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081479409.0000020C27101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: RuntimeBroker.exe, 00000002.00000002.3328327285.000001CB41F21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	111 Scheduled Task/Job	11 Process Injection	1 Masquerading	21 Input Capture	11 Security Software Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	111 Scheduled Task/Job	1 DLL Side-Loading	111 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Agentagen
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	60%	Virustotal		Browse
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Agentagen
C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	60%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://james.newtonking.com/projects/json	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xn--80aa3a1a9c.online	77.38.200.133	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.newtonsoft.com/json	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RuntimeBroker.exe, 00000002.00000002.3327883889.000001CB299A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	Newtonsoft.Json.dll.0.dr	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	Newtonsoft.Json.dll.0.dr	false		high
https://github.com/JamesNK/Newtonsoft.Json	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	false		high
https://github.com/dahall/taskscheduler	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.38.200.133	xn--80aa3a1a9c.online	Latvia		20910	BALTKOM-ASLV	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417470
Start date and time:	2024-03-29 11:37:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Detection:	MAL
Classification:	mal88.spyw.evad.winEXE@4/5@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 12 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, PID 6784 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:38:05	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachine path: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BALTKOM-ASLV	ydlkilluNn.elf	Get hash	malicious	Gafgyt, Mirai	Browse	213.180.97.134
	AFWaD3vnqR.elf	Get hash	malicious	Mirai, Gafgyt	Browse	213.180.97.154
	dOFtshU17q.elf	Get hash	malicious	Mirai	Browse	94.30.193.58
	wgOzQ8Oyzg.elf	Get hash	malicious	Mirai	Browse	213.180.97.139
	ktMLmEUY2l.elf	Get hash	malicious	Mirai	Browse	93.177.221.20
	LUNFk2Hgfu.elf	Get hash	malicious	Mirai, Okiru	Browse	213.180.97.148
	rGZOpOzYrg.elf	Get hash	malicious	Mirai, Moobot	Browse	93.177.221.61
	01vS5TqGur.elf	Get hash	malicious	Mirai	Browse	94.30.214.5
	jew.x86.elf	Get hash	malicious	Mirai	Browse	93.177.221.21
	WDw9LnYz2p.elf	Get hash	malicious	Unknown	Browse	89.201.106.220

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	pdfviewer.msi	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.10427.19540.12669.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.10427.19540.12669.exe	Get hash	malicious	Unknown	Browse
	MSIx64.msi	Get hash	malicious	Unknown	Browse
	MSIx64.msi	Get hash	malicious	Unknown	Browse
	INVOICE31401001340.exe	Get hash	malicious	Unknown	Browse
	INVOICE31401001340.exe	Get hash	malicious	Unknown	Browse
	24ef9864.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	Clear-EasyPrint.b7002.ntclear.top.SK008.ch.exe	Get hash	malicious	Unknown	Browse
	Clear-EasyPrint.b7002.ntclear.top.SK008.ch.exe	Get hash	malicious	Unknown	Browse
	OrangeBot Installer - UAT (1.18.5.23313).msi	Get hash	malicious	Unknown	Browse
	https://geteasypdf.com/	Get hash	malicious	Unknown	Browse
	InstallSetup2.exe	Get hash	malicious	Petite Virus	Browse
	CV.AppLauncherSetup6.2.7.msi	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_4e8af2004a77f531e655e2e5cb669c388d0655c9.zip	Get hash	malicious	Unknown	Browse
	https://fastprintapp.com/lp1?channel=hud-gdn&tracking_id=142&oid=142&affid=1025&source_id=google&sub1=142imall&gclid=EAIaIQobChMI5Lzv2NSvgwMVXaOmBB3WUQkTEAEYASAAEgI9zPD_BwE	Get hash	malicious	Unknown	Browse
	https://onelaunch.com/download	Get hash	malicious	Unknown	Browse
	Comprovante_Pix_023103.vbs	Get hash	malicious	Netcat	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.105576145657233
Encrypted:	false
SSDEEP:	3072:o1sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5Dfm:o1sSmRIt/xhtsOju1DH5NXnIKAc
MD5:	A844AC745A4005FBD3F51D79FF88583C
SHA1:	92671774FD4BE9781A77D2788A8DDDBF8981EAD5
SHA-256:	74FE1A6A1E36BE7D893E31BBB4D4BD83BF4B927E715276CD5607982139818EBD
SHA-512:	5F0734058D9146FFEB552ABF443DF5097CF134A4737BED499467830E08D97F5D1996C1F1647C5C12289CA4D4209EFFD480010AFEBC59D50290D4CA7D45BB41F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Clear-EasyPrint.b7002.ntclear.top.SK008.ch.exe, Detection: malicious, Browse Filename: Clear-EasyPrint.b7002.ntclear.top.SK008.ch.exe, Detection: malicious, Browse Filename: OrangeBot Installer - UAT (1.18.5.23313).msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: InstallSetup2.exe, Detection: malicious, Browse Filename: CV.AppLauncherSetup6.2.7.msi, Detection: malicious, Browse Filename: MDE_File_Sample_4e8af2004a77f531e655e2e5cb669c388d0655c9.zip, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Comprovante_Pix_023103.vbs, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._O............" ..0..............-... ...@....... ..............................I.....`.................................0-..O....@.......................`......(,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d-......H............V..........`...H....+........................................{......{....V.(......}......}.......0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....... ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(......{......{......{....r.(......}......}......}......0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	711952
Entropy (8bit):	5.967185619483575
Encrypted:	false
SSDEEP:	12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
MD5:	195FFB7167DB3219B217C4FD439EEDD6
SHA1:	1E76E6099570EDE620B76ED47CF8D03A936D49F8
SHA-256:	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
SHA-512:	56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: pdfviewer.msi, Detection: malicious, Browse Filename: SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.10427.19540.12669.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.10427.19540.12669.exe, Detection: malicious, Browse Filename: MSIx64.msi, Detection: malicious, Browse Filename: MSIx64.msi, Detection: malicious, Browse Filename: INVOICE31401001340.exe, Detection: malicious, Browse Filename: INVOICE31401001340.exe, Detection: malicious, Browse Filename: 24ef9864.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{\|....3...{{......(....,...{{.....{}.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1075712
Entropy (8bit):	6.020202241266955
Encrypted:	false
SSDEEP:	24576:czCJ3x7Bjk38WuBcAbwoA/BkjSHXP36RMG:0CJ3JCSA/Bkj0
MD5:	04C989D29336FB35D0ACF623B8BCF64C
SHA1:	67C95F5DE71452DEB7843C9AC2880340C50E4A28
SHA-256:	AD132BE05B5588BA7A292E3AE2FAAB0401F5380BBD4796483D45DF99DC1500E9
SHA-512:	74127D593AF83F76EE9242BC7B277BB87EC94218A2AD53CB78084CDFBC8B6953680589BD7C73FAC97C6990A659097CAC997DB068C0A758FEC893092EABDA8152
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M=............"...0..b............... .....@..... ....................................`...@......@............... .............................................................................................................................. ..H............text....a... ...b.................. ..`.rsrc................d..............@..@........................................H........A...I..............H.............................................{...."..}......{...."..}......{...."..}......0..\........(.....(.....o......,..(7......i(.....~....,..(.........io.........io....r...p..i.H...(....F(.....(....o......( ...:.(......(......{...."..}......{...."..}......{ ..."..} .....{!..."..}!...>.(.......(........0..C........r...p(...+..r...p(...+..,.r1..p(D....-..(C...r3..p 9.......s....&..( ...*..0..\........s"...}#....( ......}-......})..

C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.020202241266955
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
File size:	1'075'712 bytes
MD5:	04c989d29336fb35d0acf623b8bcf64c
SHA1:	67c95f5de71452deb7843c9ac2880340c50e4a28
SHA256:	ad132be05b5588ba7a292e3ae2faab0401f5380bbd4796483d45df99dc1500e9
SHA512:	74127d593af83f76ee9242bc7b277bb87ec94218a2ad53cb78084cdfbc8b6953680589bd7c73fac97c6990a659097cac997db068c0a758fec893092eabda8152
SSDEEP:	24576:czCJ3x7Bjk38WuBcAbwoA/BkjSHXP36RMG:0CJ3JCSA/Bkj0
TLSH:	F4354A4163FC8B2BD5AF6B35F4700A1547F9F807A6BAE78F5A44D8AA1C537808E50363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M=............"...0..b............... .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBF843D4D [Mon Oct 26 19:51:41 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1081cc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1061e8	0x106200	7febc7f073c935dc0b91b195fefcc37d	False	0.39404972132808774	data	6.025061209798328	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x408	0x600	2f41b1db888c78e12e457694247e160d	False	0.2799479166666667	data	2.4167892084815583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10a058	0x3ac	data			0.41914893617021276

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:38:05.724276066 CET	49710	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:06.292213917 CET	49711	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:06.729870081 CET	49710	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:07.276765108 CET	49711	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:08.729870081 CET	49710	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:09.292361021 CET	49711	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:12.729866028 CET	49710	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:13.292355061 CET	49711	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:20.729863882 CET	49710	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:21.292484045 CET	49711	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:26.735270023 CET	49719	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:27.295816898 CET	49720	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:27.744210005 CET	49719	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:28.292397022 CET	49720	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:29.745518923 CET	49719	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:30.292490959 CET	49720	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:33.761178017 CET	49719	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:34.292414904 CET	49720	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:41.761136055 CET	49719	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:42.292367935 CET	49720	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:47.762957096 CET	49722	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:48.294059038 CET	49723	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:48.776799917 CET	49722	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:49.292378902 CET	49723	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:50.776737928 CET	49722	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:51.292491913 CET	49723	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:54.776746988 CET	49722	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:38:55.292357922 CET	49723	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:02.776774883 CET	49722	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:03.292392015 CET	49723	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:08.924551964 CET	49727	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:09.294114113 CET	49728	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:09.933017969 CET	49727	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:10.292484999 CET	49728	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:11.932998896 CET	49727	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:12.292365074 CET	49728	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:15.948626041 CET	49727	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:16.292499065 CET	49728	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:23.966094017 CET	49727	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:24.292375088 CET	49728	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:29.981678963 CET	49731	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:30.294107914 CET	49732	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:30.979927063 CET	49731	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:31.292368889 CET	49732	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:32.979877949 CET	49731	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:33.292418003 CET	49732	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:36.995517969 CET	49731	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:37.298099995 CET	49732	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:45.011132956 CET	49731	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:45.292388916 CET	49732	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:51.028522015 CET	49733	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:51.293904066 CET	49734	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:52.026758909 CET	49733	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:52.292427063 CET	49734	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:54.026777983 CET	49733	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:54.292398930 CET	49734	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:58.042381048 CET	49733	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:39:58.292407990 CET	49734	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:40:06.042386055 CET	49733	6969	192.168.2.6	77.38.200.133
Mar 29, 2024 11:40:06.292438030 CET	49734	6969	192.168.2.6	77.38.200.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:38:05.438035965 CET	55907	53	192.168.2.6	1.1.1.1
Mar 29, 2024 11:38:05.713505983 CET	53	55907	1.1.1.1	192.168.2.6
Mar 29, 2024 11:39:08.779867887 CET	60471	53	192.168.2.6	1.1.1.1
Mar 29, 2024 11:39:08.923782110 CET	53	60471	1.1.1.1	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 29, 2024 11:38:08.626734018 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:08.626754999 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:08.626765966 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:08.626777887 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:11.952656984 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:11.952678919 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:15.368809938 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:21.658783913 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:21.658802986 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:27.846877098 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:27.846894979 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:30.968101025 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:30.968120098 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:30.968132973 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:35.681051970 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:42.276127100 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:38:49.295073032 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:03.385411024 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:12.937393904 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:17.853511095 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:25.499408007 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:25.499428034 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:32.873506069 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:32.873528004 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:36.201483011 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:46.579648018 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:46.579672098 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:53.653722048 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:39:57.253273964 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable
Mar 29, 2024 11:40:01.007731915 CET	77.38.200.133	192.168.2.6	d57f	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 11:38:05.438035965 CET	192.168.2.6	1.1.1.1	0x810c	Standard query (0)	xn--80aa3a1a9c.online	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:39:08.779867887 CET	192.168.2.6	1.1.1.1	0x56dd	Standard query (0)	xn--80aa3a1a9c.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 11:38:05.713505983 CET	1.1.1.1	192.168.2.6	0x810c	No error (0)	xn--80aa3a1a9c.online		77.38.200.133	A (IP address)	IN (0x0001)	false
Mar 29, 2024 11:39:08.923782110 CET	1.1.1.1	192.168.2.6	0x56dd	No error (0)	xn--80aa3a1a9c.online		77.38.200.133	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:38:03
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe"
Imagebase:	0x20c26da0000
File size:	1'075'712 bytes
MD5 hash:	04C989D29336FB35D0ACF623B8BCF64C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:38:03
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"
Imagebase:	0x1cb279f0000
File size:	1'075'712 bytes
MD5 hash:	04C989D29336FB35D0ACF623B8BCF64C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:38:05
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Imagebase:	0x224a9780000
File size:	1'075'712 bytes
MD5 hash:	04C989D29336FB35D0ACF623B8BCF64C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD348903A8 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

psx4, xrefs: 00007FFD34890539
?O_^, xrefs: 00007FFD34890501
8tx4, xrefs: 00007FFD348905C9

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8tx4$?O_^$psx4
API String ID: 0-3800927976
Opcode ID: effdcc239cd139d4e925902ce16df204a0b4ee6414cbfe8d6717fc567e6f32c6
Instruction ID: a16a6611de851b4259e330fbd9b0d636247f076bcc649baecd8ebed9aebe5113
Opcode Fuzzy Hash: effdcc239cd139d4e925902ce16df204a0b4ee6414cbfe8d6717fc567e6f32c6
Instruction Fuzzy Hash: C951B457B0FAD21BE35257AD28B10E92F64AF4332470C40BBD1DCCB1E7E85DA9099356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348905B8 Relevance: 2.9, Strings: 2, Instructions: 368COMMON

Download Yara Rule

Strings

(tx4, xrefs: 00007FFD348905B9
8tx4, xrefs: 00007FFD348905C9

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (tx4$8tx4
API String ID: 0-589491909
Opcode ID: ec2663055582f7e78faebadd52db95c7c15c89fe259142ecf5512bbb8f2f7dce
Instruction ID: e287cbc493c7be8181546b75558fd1627b37a106cec031086138b6ec96ce875c
Opcode Fuzzy Hash: ec2663055582f7e78faebadd52db95c7c15c89fe259142ecf5512bbb8f2f7dce
Instruction Fuzzy Hash: B631B552B0DFC64FE3569B6C58B51A57FE0EF9335130900BBC188DB1A3D91DAC0A9361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890E62 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

Pwx4, xrefs: 00007FFD34890E76

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Pwx4
API String ID: 0-2108008736
Opcode ID: 7c0d1ee8f364ad5102ca1f95be054006e806614d3fb1474fcd92b5d6e7d77c25
Instruction ID: 233b3eea6d04eed3d21174f7d70b54f4d42bbd58ebb8c216fd8b7cfe7786d0ca
Opcode Fuzzy Hash: 7c0d1ee8f364ad5102ca1f95be054006e806614d3fb1474fcd92b5d6e7d77c25
Instruction Fuzzy Hash: 3AF0F622B09C0D4FEBE5EB5C94A56943BD1EFEA39134901E3E40CCB36AD918DD828790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890680 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6a5eb1e9f4688b56c306700c3b1a48f67abd7bc29073968267fa188dacecf1
Instruction ID: b3c204263f5f4c6fc6a55ddc9f108c0f91ba470b46e8c1926da0d6c71b21c0df
Opcode Fuzzy Hash: cc6a5eb1e9f4688b56c306700c3b1a48f67abd7bc29073968267fa188dacecf1
Instruction Fuzzy Hash: 66210AA2B0DBC90FE7968B2C58B10617FE1EFDB35074501AFD089C7297C91C5C069362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890949 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0946c0ceb3edfa7eacb6923cf261866a79854d3c4de3f11142bceecae9a63a6b
Instruction ID: 7037ee886a2dbc2d61d08d3d0a893dcfc184914322c44538e7a2459296676333
Opcode Fuzzy Hash: 0946c0ceb3edfa7eacb6923cf261866a79854d3c4de3f11142bceecae9a63a6b
Instruction Fuzzy Hash: B5812131B1890E4FEB95EBA8C4A5AFD7BE1FF9B300F4401B5D10DE7296DE28A8419750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890CE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28af1e89be12012ac4bf52d7dffcebe99bf9407f4ad9431e510debd8a12e18e2
Instruction ID: 9d6ba94d385e0b32a2476b52a20814c140fd8d8e57f573c70e8c83daac01f7d8
Opcode Fuzzy Hash: 28af1e89be12012ac4bf52d7dffcebe99bf9407f4ad9431e510debd8a12e18e2
Instruction Fuzzy Hash: 2F21D611B0CD460FEB96A7A800722A96BC29F9B351B5901B1D50CC77CBDD6C9C464361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890DC1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70093c199c4630bc5476d922f3ca1237968401425f5877d95c08e740a88464a2
Instruction ID: 2890e1787745b654b101a46caf30bdb99e350393d4d75577a339f8898b04c5b0
Opcode Fuzzy Hash: 70093c199c4630bc5476d922f3ca1237968401425f5877d95c08e740a88464a2
Instruction Fuzzy Hash: C1F0C271A0EA894FDB45DB2C88A5D953FE0EF6734074A41E5D048CF5A3C92CEC428710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348912F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1e5c80cbf676927ac5ec1bd245613e23f85c69d20c0da7d4391543d632bfc1
Instruction ID: 495d6b8b6cab5eb2d74287a187633762a6fc22648f4a2739132740a6c477b42d
Opcode Fuzzy Hash: 6d1e5c80cbf676927ac5ec1bd245613e23f85c69d20c0da7d4391543d632bfc1
Instruction Fuzzy Hash: BAF06561B09D094FEB84EB2C84A99517BE1EB6B34179501A1E409CB266D868EC865720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34890DE9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082621900.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f0d1035289a668f89f431f8a12fb0290b0b86d143436f70f794e8544ca8fc
Instruction ID: 73b39f957b6f6211483c87934e47b46910afde8f2cb72282b9d9853ce7b84dcd
Opcode Fuzzy Hash: df2f0d1035289a668f89f431f8a12fb0290b0b86d143436f70f794e8544ca8fc
Instruction Fuzzy Hash: F1E01271708D4D8FDB84EF1C84A59557BE1EB6B3413960091D409CB376D928DD868B20

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RuntimeBroker.exePID: 4508, Parent PID: 6784COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD348AE369 Relevance: 2.2, Strings: 1, Instructions: 997
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD348AEA44

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 84eabdf2c5f4c6d1439c89561777910807fdd9ddf55629e56bf24397fbf2d84d
Instruction ID: f24b38a87c847bdcf6f4b4a22d04d6d3f1a841fd67a047364c284da359d6dd08
Opcode Fuzzy Hash: 84eabdf2c5f4c6d1439c89561777910807fdd9ddf55629e56bf24397fbf2d84d
Instruction Fuzzy Hash: 74522631B4EB4A0FE3A9DB2C84A567577E1FF56310B1849BAD18EC7193DE28F8428351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AF838 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD348AF901

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1c4c3a6a01b6a6b88ce9a7eff16693591a3698ea44fc9a764d646eb877f1afab
Instruction ID: 20994787f76b0ec6c374c32a5cb7041faa97934b29d53924a299aa0cdac47f6b
Opcode Fuzzy Hash: 1c4c3a6a01b6a6b88ce9a7eff16693591a3698ea44fc9a764d646eb877f1afab
Instruction Fuzzy Hash: 89411531A0CA4C4FDB58DB6898566F9BBE1EF59321F04423ED049D3292CE74A81287C1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD348AC43F Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f1b7c85d28ffbef4994875dcd55130a22597882fac0ca596da5c32275d6234
Instruction ID: 232f9008ea82f0f627b1e97981de5bae296d8faffbb9a8f51c880fa7eb1b0701
Opcode Fuzzy Hash: 02f1b7c85d28ffbef4994875dcd55130a22597882fac0ca596da5c32275d6234
Instruction Fuzzy Hash: BFE1A613A0E6D51BE751A7BCA8711EA7BA0AF43324B0C51FBD188CB0D3E96C74499396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC4A8 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78b0b4c5bf0cc0b738ee718ff63e5f195f9ae9d2845cc62ac2ab98fe9245b11
Instruction ID: c36bea04c8b46a6cd475a6617e98928d02d563d83acc81886d2ff2d97b8dc3dc
Opcode Fuzzy Hash: c78b0b4c5bf0cc0b738ee718ff63e5f195f9ae9d2845cc62ac2ab98fe9245b11
Instruction Fuzzy Hash: 86C1C907B0E5D11BF761A7FCB8721EA6B54AF43324B0C51BBD1888B0D3ADAC74469396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC4A0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d016233426666b3bac5f77c8d9aca6db5327d5af393c86516598b5000d1937
Instruction ID: 18cae95dc3fe8cfda7eb51df866b21192b80ac0f0cb139f16afffd877737c10d
Opcode Fuzzy Hash: 27d016233426666b3bac5f77c8d9aca6db5327d5af393c86516598b5000d1937
Instruction Fuzzy Hash: 4DD1B817B0E5D11BE761A7BCB8711EA7BA0AF43324B0C51BBD188CB0D3ADAC74459396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC4B8 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316af0f35f34ac09b4647d5288dcd18855ceeb57637bb346b680973b42c753c1
Instruction ID: cff42c39287551be90129478d8c13859766a09d78c735c9069421c7c96072ee0
Opcode Fuzzy Hash: 316af0f35f34ac09b4647d5288dcd18855ceeb57637bb346b680973b42c753c1
Instruction Fuzzy Hash: 17C1DA07B0E6D11BF761A7FCB8711EA6B50AF43324B0C51BBD1888B0D3ADAC74459396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A1968 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b95f41ebccfa9a1ce65376e8d59710f0f0fd9834448990a1985500180b207b
Instruction ID: 4b6c1f0e12ab4511413877d8d49c50f842ac2c140afbe6959f2719b3e2299682
Opcode Fuzzy Hash: 70b95f41ebccfa9a1ce65376e8d59710f0f0fd9834448990a1985500180b207b
Instruction Fuzzy Hash: F0B1E517B0D6A21BD32177FCB8B51EA7B64DF8237570C55BBD2C8CA093A868704A83D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC578 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae00cc202255634960326bda963730d815511477ce47c2d5c7dad107412a3fc
Instruction ID: aca436194a389c9c634f559ec5abc2d735c425544ea277973b72ad89b81e269b
Opcode Fuzzy Hash: cae00cc202255634960326bda963730d815511477ce47c2d5c7dad107412a3fc
Instruction Fuzzy Hash: 46A1E707B0E6D11BF751A7FCB8711EA6B60AF43324B0C51BBD1888B0D3ADAC74459396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0F50 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89db795e16ee86d036ddbda06bb6ac5cb83c9eb5766a1934a8e581491f6020a
Instruction ID: 2f843f9fbb2175e22055ee8f010a90eacd81e898b1ea74b117f6eca7adaa706b
Opcode Fuzzy Hash: e89db795e16ee86d036ddbda06bb6ac5cb83c9eb5766a1934a8e581491f6020a
Instruction Fuzzy Hash: 4571F423B0D5A157D321BBFCB8B61EABBA4EF4137870C5177D2CC9B093E86874468295

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC660 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31051c8845d169af9e3b3c886e5a96c8d6ba69d9a9ba7a7f933d27e75c40952
Instruction ID: 9a710f7327a4c59d99e76c77d871482c93bd0a5b2d60f7a89e0c439d74d67d55
Opcode Fuzzy Hash: e31051c8845d169af9e3b3c886e5a96c8d6ba69d9a9ba7a7f933d27e75c40952
Instruction Fuzzy Hash: 5981A957A0F6D11FF75197BCA8751E97B90AF43314B0C41BBD188CB1D3DAACA806A392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348AC6D3 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3328732630.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2db8cb3aed913c6a8431a18a8e32e9b9b7306639546002ed628866a8cc5941
Instruction ID: 56402cd494dfcc4344a179d1be8e669ce126413fe42007f7b69af8d01406be4d
Opcode Fuzzy Hash: dc2db8cb3aed913c6a8431a18a8e32e9b9b7306639546002ed628866a8cc5941
Instruction Fuzzy Hash: 0961BC53B0F6D51FF791976C68751EA6B90EF43324B0841FBD288CB1D3D95CA806A3A2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RuntimeBroker.exePID: 4200, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFD348C3058 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD348C3121

Memory Dump Source

Source File: 00000003.00000002.3329049809.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_RuntimeBroker.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: cb80da51b9ef6e0499002baf3d4ae11a1a11161ef9b60886285c4eb5b464be41
Instruction ID: 121c62d671b35330a0dae69d17d6e0dbbcdb0b0a274e502f65ad25ff37ee0c1d
Opcode Fuzzy Hash: cb80da51b9ef6e0499002baf3d4ae11a1a11161ef9b60886285c4eb5b464be41
Instruction Fuzzy Hash: 61410A31A0CA5D4FDB18EB5C98566F9BBE1EB5A321F00027FD04DD3292CA74A81287C1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.log

C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll

C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll

C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Function 00007FFD348AE369 Relevance: 2.2, Strings: 1, Instructions: 997
COMMON

Function 00007FFD348AF838 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Function 00007FFD348C3058 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON