Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
last_stage.exe

Overview

General Information

Sample name:last_stage.exe
Analysis ID:1428248
MD5:ad15c8f35af52d9258c025bc2f051e34
SHA1:042c427cab621421a89a87f83e76361640cb9bfc
SHA256:41ca9b3177da771632347aeee0aabda5da37954f8933f80738f02f4fe07cbca1
Tags:exe
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • last_stage.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\last_stage.exe" MD5: AD15C8F35AF52D9258C025BC2F051E34)
    • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: last_stage.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: last_stage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: BthUdTask.pdbGCTL source: last_stage.exe
Source: Binary string: BthUdTask.pdb source: last_stage.exe
Source: last_stage.exe, 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBthUdTask.exej% vs last_stage.exe
Source: last_stage.exeBinary or memory string: OriginalFilenameBthUdTask.exej% vs last_stage.exe
Source: last_stage.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: last_stage.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\last_stage.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\last_stage.exe "C:\Users\user\Desktop\last_stage.exe"
Source: C:\Users\user\Desktop\last_stage.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\last_stage.exeSection loaded: newdev.dllJump to behavior
Source: C:\Users\user\Desktop\last_stage.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\last_stage.exeSection loaded: devrtl.dllJump to behavior
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: last_stage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: last_stage.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BthUdTask.pdbGCTL source: last_stage.exe
Source: Binary string: BthUdTask.pdb source: last_stage.exe
Source: last_stage.exeStatic PE information: 0xF898BAFC [Thu Mar 2 16:08:28 2102 UTC]
Source: last_stage.exeStatic PE information: real checksum: 0x15f44 should be: 0x3c3cb
Source: last_stage.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\last_stage.exeCode function: 0_2_00512115 push ecx; ret 0_2_00512128
Source: C:\Users\user\Desktop\last_stage.exeAPI coverage: 9.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\last_stage.exeCode function: 0_2_0051212F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0051212F
Source: C:\Users\user\Desktop\last_stage.exeCode function: 0_2_0051200B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0051200B

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Timestomp		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428248 Sample: last_stage.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 4 5 last_stage.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
last_stage.exe8%ReversingLabsWin32.Malware.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428248
Start date and time:2024-04-18 18:16:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:last_stage.exe
Detection:CLEAN
Classification:clean4.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 5
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 23.40.205.24, 23.40.205.19, 23.40.205.18, 23.40.205.17, 23.40.205.73, 23.40.205.83, 23.40.205.25, 23.40.205.65, 23.40.205.9
  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: last_stage.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):4.634728027464927
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:last_stage.exe
File size:188'960 bytes
MD5:ad15c8f35af52d9258c025bc2f051e34
SHA1:042c427cab621421a89a87f83e76361640cb9bfc
SHA256:41ca9b3177da771632347aeee0aabda5da37954f8933f80738f02f4fe07cbca1
SHA512:05d0e063beb4615a51b7003d868452ad72e5eae957f5c90e677fd95a2bd78c26f0eb0e69bb4c117855eaa9192d69284325ae8be56dbc7d66f14ec904aaa40479
SSDEEP:768:lfGgTViahszDOtfGgTViahszDOKJBq9YfGgTViahszDOHefGgTViahszDO:F4WsO94WsOKJBq904WsOC4WsO
TLSH:6F04B84643AB19A4E44714F4F87AC87533626E609E33525E287C76BF69BE0CEDCD0236
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich............................PE..L..........

File Icon

Icon Hash:1b73e4b9f0f2512f

Static PE Info

General

Entrypoint:0x401d00
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xF898BAFC [Thu Mar 2 16:08:28 2102 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:4d14d19b876bbb7a86ffba329be9d956

Entrypoint Preview

Instruction
call 00007F5AB8CBEFABh
jmp 00007F5AB8CBEA74h
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [00403004h]
jne 00007F5AB8CBECA5h
retn 0000h
jmp 00007F5AB8CBF0E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 00401D10h
push 00403004h
call 00007F5AB8CBF1C8h
add esp, 18h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F5AB8CBECCDh
cmp dword ptr [eax+10h], 03h
jne 00007F5AB8CBECC7h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F5AB8CBECB7h
cmp eax, 19930521h
je 00007F5AB8CBECB0h
cmp eax, 19930522h
je 00007F5AB8CBECA9h
cmp eax, 01994000h
jne 00007F5AB8CBECA8h
call dword ptr [0040407Ch]
xor eax, eax
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00401D60h
call dword ptr [00404040h]
xor eax, eax
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [000040ACh]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x40c80x78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6f68.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x1a0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080xbc.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xc4.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x23bc0x60.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x149c0x1600f2f22146a12dac87b8c15c0607631beaFalse0.5276988636363636data5.499033431870281IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x30000x3e00x200bcb053506e7c83e9b9455a0b5f85fd94False0.048828125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x40000x5880x600488e94517e0fd9462dc84b467c0c740bFalse0.4830729166666667data4.719851963347107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x50000x140x200806bb5285faa215c0646be1443c9a606False0.044921875data0.16476501235057214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x6f680x7000edd1c895a02223094a114d9855a4c978False0.279296875data3.8366325984328125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xd0000x1a00x20002bd71be5011b2c20afee2a0121c8739False0.81640625data5.410463212754183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xce900xd8dataEnglishUnited States0.5324074074074074
RT_ICON0x6b180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5675675675675675
RT_ICON0x6c400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.23699421965317918
RT_ICON0x71a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.49193548387096775
RT_ICON0x74900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.4174187725631769
RT_ICON0x7d380x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.375
RT_ICON0x83a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.32116204690831557
RT_ICON0x92480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2712765957446808
RT_ICON0x96b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3013602251407129
RT_ICON0xa7580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1808091286307054
RT_STRING0xcd880x108Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.5037878787878788
RT_GROUP_ICON0xcd000x84dataEnglishUnited States0.6439393939393939
RT_VERSION0x67680x3acdataEnglishUnited States0.46063829787234045
RT_MANIFEST0x63700x3f6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.47830374753451677

Imports

DLLImport
ADVAPI32.dllRegCloseKey, RegQueryValueExW
KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, UnhandledExceptionFilter, QueryPerformanceCounter, GetModuleHandleW, SetUnhandledExceptionFilter, Sleep, GetTickCount, GetCurrentProcess, CloseHandle, SetEvent, OpenEventW, GetLastError, CompareStringOrdinal, TerminateProcess, GetCurrentProcessId, ResolveDelayLoadedAPI, DelayLoadFailureHook
msvcrt.dll_controlfp, ?terminate@@YAXXZ, _except_handler4_common, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _vsnwprintf, memset
newdev.dllDiUninstallDevice
DEVOBJ.dllDevObjUninstallDevice, DevObjDestroyDeviceInfoList, DevObjGetDeviceInstanceId, DevObjGetClassDevs, DevObjCreateDeviceInfoList, DevObjOpenDevRegKey, DevObjEnumDeviceInfo

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:18:16:52
Start date:18/04/2024
Path:C:\Users\user\Desktop\last_stage.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\last_stage.exe"
Imagebase:0x510000
File size:188'960 bytes
MD5 hash:AD15C8F35AF52D9258C025BC2F051E34
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:18:16:52
Start date:18/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff70f010000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:13.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5%
    Total number of Nodes:100
    Total number of Limit Nodes:2
    execution_graph 331 511d30 _except_handler4_common 332 511a30 333 511a35 332->333 341 511e4a GetModuleHandleW 333->341 335 511a41 __set_app_type __p__fmode __p__commode 336 511a79 335->336 337 511a82 __setusermatherr 336->337 338 511a8e 336->338 337->338 343 5120a9 _controlfp 338->343 340 511a93 342 511e5b 341->342 342->335 343->340 344 511d00 347 51200b 344->347 346 511d05 346->346 348 512030 347->348 349 512034 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 347->349 348->349 350 512083 348->350 349->350 350->346 351 511d60 352 511d9d 351->352 354 511d72 351->354 353 511d97 ?terminate@ 353->352 354->352 354->353 355 512282 356 512293 355->356 359 5119fa ResolveDelayLoadedAPI 356->359 358 5122a0 359->358 360 512324 361 511d10 4 API calls 360->361 362 51232e 361->362 362->362 253 511ad9 254 511ae5 253->254 255 511b0a 254->255 256 511b11 Sleep 254->256 257 511b29 _amsg_exit 255->257 259 511b33 255->259 256->254 257->259 258 511b75 _initterm 263 511b90 __IsNonwritableInCurrentImage 258->263 259->258 260 511b56 259->260 259->263 267 511911 263->267 264 511bf1 exit _XcptFilter 265 511c27 265->260 266 511c30 _cexit 265->266 266->260 270 511920 267->270 268 51195c 269 5119d0 268->269 271 511960 memset 268->271 269->264 269->265 270->268 270->269 284 5116cf DevObjCreateDeviceInfoList 270->284 303 5118bf 271->303 276 5116cf 19 API calls 280 511950 276->280 277 5119c4 306 5119e8 277->306 278 511999 OpenEventW 281 5119b5 GetLastError 278->281 282 5119bd SetEvent 278->282 283 5116cf 19 API calls 280->283 281->277 282->277 283->268 285 511703 GetLastError 284->285 286 511722 DevObjGetClassDevs 284->286 288 51170f 285->288 309 5115a6 286->309 288->286 289 5118a8 288->289 325 511d10 289->325 291 511890 291->289 295 5118a1 DevObjDestroyDeviceInfoList 291->295 292 51173f DevObjEnumDeviceInfo 294 5115a6 GetLastError 292->294 293 5118b7 293->276 301 511736 294->301 295->289 296 511799 DevObjOpenDevRegKey 297 5117db memset RegQueryValueExW 296->297 298 5117be GetLastError 296->298 299 51182a RegCloseKey 297->299 297->301 298->301 299->301 300 51184f CompareStringOrdinal 300->301 301->291 301->292 301->296 301->297 301->299 301->300 313 5115cf 301->313 304 5118d4 _vsnwprintf 303->304 305 5118cd 303->305 304->305 305->277 305->278 307 5119f3 306->307 308 5119ec CloseHandle 306->308 307->269 308->307 310 5115aa 309->310 311 5115ad GetLastError 309->311 310->301 312 5115b7 311->312 312->301 314 511607 313->314 315 5116a3 DevObjUninstallDevice 314->315 316 511612 DevObjGetDeviceInstanceId 314->316 317 5115a6 GetLastError 315->317 318 5115a6 GetLastError 316->318 319 5116b6 317->319 322 51162f 318->322 320 511d10 4 API calls 319->320 321 5116c7 320->321 321->301 323 511687 322->323 324 511669 DiUninstallDevice 322->324 323->315 323->319 324->323 326 511d18 325->326 327 511d1b 325->327 326->293 330 51212f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 327->330 329 51226b 329->293 330->329 363 511c0c 364 511c20 _exit 363->364 365 511c27 363->365 364->365 366 511c30 _cexit 365->366 367 511c3b 365->367 366->367

    Callgraph

    Executed Functions

    Function 00511AD9 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
    • String ID: |3Q$|3Q
    • API String ID: 796493780-2877643606
    • Opcode ID: 244e21eb206fb286825c8f96c9cdb787d7669d41d91750058eb3257fc07a33ed
    • Instruction ID: 8a19c12375f6cbe31b1fbbe797f8d4628dfabc6cd7d057eb61b42c4d41018f8c
    • Opcode Fuzzy Hash: 244e21eb206fb286825c8f96c9cdb787d7669d41d91750058eb3257fc07a33ed
    • Instruction Fuzzy Hash: 4B31C075A04A01DFFB259B64EC19BE97FE0F75C720F1049ADE215972A0EB304AC4EB58
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0051212F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0051226B,P0Q), ref: 00512136
    • UnhandledExceptionFilter.KERNEL32(k"Q,?,0051226B,P0Q), ref: 0051213F
    • GetCurrentProcess.KERNEL32(C0000409,?,0051226B,P0Q), ref: 0051214A
    • TerminateProcess.KERNEL32(00000000,?,0051226B,P0Q), ref: 00512151
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID: k"Q
    • API String ID: 3231755760-1956497
    • Opcode ID: e6d4a9f3bad4429860edaf1648642ec3116de56790ffce0d0ed766b61ebc5301
    • Instruction ID: 53a11b23f7081f4767483bb7c3b48f7ac24164b3b85d9ae0f1610ea6367d409c
    • Opcode Fuzzy Hash: e6d4a9f3bad4429860edaf1648642ec3116de56790ffce0d0ed766b61ebc5301
    • Instruction Fuzzy Hash: F4D0C972004204ABC7002BE3ED0CA893E29EB9C352F0A9010F30A8A020CA354805AF65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051200B Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00512038
    • GetCurrentProcessId.KERNEL32 ref: 00512047
    • GetCurrentThreadId.KERNEL32 ref: 00512050
    • GetTickCount.KERNEL32 ref: 00512059
    • QueryPerformanceCounter.KERNEL32(?), ref: 0051206E
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 26e697311aa31924d3625989a244816eface89ced9b3987fc575f72c6ee8b090
    • Instruction ID: dc6712427fa335321d58c3de9a45e89c534f583f2874abd9539ef01bc3253dd3
    • Opcode Fuzzy Hash: 26e697311aa31924d3625989a244816eface89ced9b3987fc575f72c6ee8b090
    • Instruction Fuzzy Hash: F411E3B5D01208ABDB10DBB9D94CADEBBF4BB6C351F5688A5D506EB210E6309B48DF00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005116CF Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 005116F6
    • GetLastError.KERNEL32 ref: 00511703
    • DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 00511729
    • DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 00511782
    • DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 005117AB
    • GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 005117BE
    • memset.MSVCRT ref: 005117EA
    • RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,?,?,0000007C), ref: 00511815
    • RegCloseKey.ADVAPI32(?), ref: 00511830
    • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 0051185F
    • DevObjDestroyDeviceInfoList.DEVOBJ(00000000,?,00000004,00000000,00000000), ref: 005118A2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: DeviceInfo$ErrorLastList$ClassCloseCompareCreateDestroyDevsEnumOpenOrdinalQueryStringValuememset
    • String ID: $$Bluetooth_UniqueID$|
    • API String ID: 304487998-582949365
    • Opcode ID: 2d42bb87abf0bdd66c64100c7a99d61d1107f2aa254acc1fea4c53183243f38f
    • Instruction ID: 79aea025eadf2b145a85fc5fe66eb3f1bbc610a21e9849ec0249fa52006d29fa
    • Opcode Fuzzy Hash: 2d42bb87abf0bdd66c64100c7a99d61d1107f2aa254acc1fea4c53183243f38f
    • Instruction Fuzzy Hash: 2551E976D006349BDB209B258C48BDABEB9FF89720F1142D5FA59E7280DB709D849F90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511911 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • memset.MSVCRT ref: 0051196E
    • OpenEventW.KERNEL32(00000002,00000000,?), ref: 005119A3
    • GetLastError.KERNEL32 ref: 005119B5
      • Part of subcall function 005116CF: DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 005116F6
      • Part of subcall function 005116CF: GetLastError.KERNEL32 ref: 00511703
      • Part of subcall function 005116CF: DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 00511729
      • Part of subcall function 005116CF: DevObjDestroyDeviceInfoList.DEVOBJ(00000000,?,00000004,00000000,00000000), ref: 005118A2
      • Part of subcall function 005116CF: DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 00511782
      • Part of subcall function 005116CF: DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 005117AB
      • Part of subcall function 005116CF: GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 005117BE
      • Part of subcall function 005116CF: memset.MSVCRT ref: 005117EA
      • Part of subcall function 005116CF: RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,?,?,0000007C), ref: 00511815
      • Part of subcall function 005116CF: RegCloseKey.ADVAPI32(?), ref: 00511830
      • Part of subcall function 005116CF: CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 0051185F
    • SetEvent.KERNEL32(00000000), ref: 005119BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: DeviceErrorInfoLast$EventListOpenmemset$ClassCloseCompareCreateDestroyDevsEnumOrdinalQueryStringValue
    • String ID: BTHLE$BTHLEDevice$Global\BTH_UNINSTALL_DEVICE_%s$bthenum
    • API String ID: 3367271578-2565694137
    • Opcode ID: 8e5495a47514cd07f8c9e11f357b613c0fadfe0505c3c3cb1256c9b12567a586
    • Instruction ID: 5c61790ba66229daba91fe9d948d40f0eb991cc7ae2c7bb216ddb580e17faf3a
    • Opcode Fuzzy Hash: 8e5495a47514cd07f8c9e11f357b613c0fadfe0505c3c3cb1256c9b12567a586
    • Instruction Fuzzy Hash: 13112932A00A29ABE7106B94984DBDEBFE9FFC4750F1445D5EB2597240DA30CDC08B58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511A30 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00511E4A: GetModuleHandleW.KERNEL32(00000000), ref: 00511E51
    • __set_app_type.MSVCRT ref: 00511A42
    • __p__fmode.MSVCRT ref: 00511A58
    • __p__commode.MSVCRT ref: 00511A66
    • __setusermatherr.MSVCRT ref: 00511A87
    Memory Dump Source
    • Source File: 00000000.00000002.1298475546.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1298459558.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1298490739.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_last_stage.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: 0b5d8673647a748a3215b997dce5d850cb170ace8806f23eadd944f95fb28fee
    • Instruction ID: 0284475c4a74ce70ed3209da40600795328784de06322ad25469855b8efbecd3
    • Opcode Fuzzy Hash: 0b5d8673647a748a3215b997dce5d850cb170ace8806f23eadd944f95fb28fee
    • Instruction Fuzzy Hash: B9F0FE30500701DFE714AB70B85E6C43F65BB68761B109749E611862E0CF399688EA14
    Uniqueness

    Uniqueness Score: -1.00%