Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1430821
MD5:	2019322ea56c5b80294770f6018bddc1
SHA1:	19285ecd68a4d9b957f87502c555dad437cfeb8f
SHA256:	0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

file.exe (PID: 2508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

schtasks.exe (PID: 5556 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7164 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WinTrackerSP.exe (PID: 5732 cmdline: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe MD5: 2019322EA56C5B80294770F6018BDDC1)

WinTrackerSP.exe (PID: 3524 cmdline: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe MD5: 2019322EA56C5B80294770F6018BDDC1)

ExtreamFanV5.exe (PID: 3752 cmdline: "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

ExtreamFanV5.exe (PID: 6404 cmdline: "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

ExtreamFanV5.exe (PID: 3288 cmdline: "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

ExtreamFanV5.exe (PID: 4112 cmdline: "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

PowerExpertNT.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

PowerExpertNT.exe (PID: 5480 cmdline: "C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2508, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.66.10 - Destination IP: 192.168.2.5

Timestamp:	04/24/24-09:04:58.222569
SID:	2046266
Source Port:	50505
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 5.42.66.10

Timestamp:	04/24/24-09:04:58.912086
SID:	2049060
Source Port:	49704
Destination Port:	50505
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 5.42.66.10

Timestamp:	04/24/24-09:05:03.048335
SID:	2046269
Source Port:	49704
Destination Port:	50505
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Avira: detection malicious, Label: TR/Redcap.nszjr

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	ReversingLabs: Detection: 63%
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Virustotal: Detection: 73%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 63%
Source: file.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.66.10:50505 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 5.42.66.10:50505
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 5.42.66.10:50505

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 5.42.66.10:50505

Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10

Source: file.exe, 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070340536.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071240449.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207185054.000000000020F000.00000002.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268199142.000000000020F000.00000002.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343560739.000000000052F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070340536.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071240449.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207185054.000000000020F000.00000002.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268199142.000000000020F000.00000002.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343560739.000000000052F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllm_object

Source: Joe Sandbox View	Dropped File: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@15/8@0/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\ExtreamFanV5

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\IntelPowerExpert
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmpSTLpopstart

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 63%
Source: file.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Source: unknown	Process created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe "C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe "C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe "C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: PowerExpertNT.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\PowerExpertNT\PowerExpertNT.exe

Source: file.exe

Static file information: File size 5857792 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp1024 is bigger than: 0x100000 < 0x593400

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1024

Source: file.exe	Static PE information: section name: .vmp1024
Source: file.exe	Static PE information: section name: .vmp1024
Source: ExtreamFanV5.exe.0.dr	Static PE information: section name: .vmp1024
Source: ExtreamFanV5.exe.0.dr	Static PE information: section name: .vmp1024
Source: PowerExpertNT.exe.0.dr	Static PE information: section name: .vmp1024
Source: PowerExpertNT.exe.0.dr	Static PE information: section name: .vmp1024
Source: WinTrackerSP.exe.0.dr	Static PE information: section name: .vmp1024
Source: WinTrackerSP.exe.0.dr	Static PE information: section name: .vmp1024

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 2508 base: 1940005 value: E9 8B 2F 5B 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 2508 base: 76EF2F90 value: E9 7A D0 A4 8A	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Memory written: PID: 5732 base: 1CA0005 value: E9 8B 2F 25 75	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Memory written: PID: 5732 base: 76EF2F90 value: E9 7A D0 DA 8A	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Memory written: PID: 3524 base: A60005 value: E9 8B 2F 49 76	Jump to behavior
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Memory written: PID: 3524 base: 76EF2F90 value: E9 7A D0 B6 89	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Memory written: PID: 6404 base: 10B0005 value: E9 8B 2F E4 75	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Memory written: PID: 6404 base: 76EF2F90 value: E9 7A D0 1B 8A	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Memory written: PID: 4112 base: 12A0005 value: E9 8B 2F C5 75	Jump to behavior
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Memory written: PID: 4112 base: 76EF2F90 value: E9 7A D0 3A 8A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Memory written: PID: 5480 base: 440005 value: E9 8B 2F AB 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Memory written: PID: 5480 base: 76EF2F90 value: E9 7A D0 54 89	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.3271713510.0000000000F2A000.00000020.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070389474.0000000000DFA000.00000020.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071295908.0000000000DFA000.00000020.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207221346.000000000022A000.00000020.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268272008.000000000022A000.00000020.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343606376.000000000054A000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: R.SBIEDLL.DLL>3
Source: file.exe, 00000000.00000002.3271713510.0000000000F2A000.00000020.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070389474.0000000000DFA000.00000020.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071295908.0000000000DFA000.00000020.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207221346.000000000022A000.00000020.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268272008.000000000022A000.00000020.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343606376.000000000054A000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: R.SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe TID: 1672	Thread sleep count: 41 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1672	Thread sleep count: 39 > 30			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: file.exe, 00000000.00000002.3272728136.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	1 Credential API Hooking	21 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	63%	ReversingLabs	Win32.Trojan.Privateloader
file.exe	74%	Virustotal		Browse
file.exe	100%	Avira	TR/Redcap.nszjr
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	100%	Avira	TR/Redcap.nszjr
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	100%	Avira	TR/Redcap.nszjr
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	100%	Avira	TR/Redcap.nszjr
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	100%	Joe Sandbox ML
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	100%	Joe Sandbox ML
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	63%	ReversingLabs	Win32.Trojan.Privateloader
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	74%	Virustotal		Browse
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	63%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	74%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	63%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	74%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070340536.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071240449.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207185054.000000000020F000.00000002.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268199142.000000000020F000.00000002.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343560739.000000000052F000.00000002.00000001.01000000.00000009.sdmp	false		high
http://www.winimage.com/zLibDllm_object	file.exe, 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmp, WinTrackerSP.exe, 00000006.00000002.2070340536.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, WinTrackerSP.exe, 00000007.00000002.2071240449.0000000000DDF000.00000002.00000001.01000000.00000006.sdmp, ExtreamFanV5.exe, 0000000B.00000002.2207185054.000000000020F000.00000002.00000001.01000000.00000007.sdmp, ExtreamFanV5.exe, 0000000F.00000002.2268199142.000000000020F000.00000002.00000001.01000000.00000007.sdmp, PowerExpertNT.exe, 00000012.00000002.2343560739.000000000052F000.00000002.00000001.01000000.00000009.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.42.66.10	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430821
Start date and time:	2024-04-24 09:04:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@15/8@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ExtreamFanV5.exe, PID 6404 because there are no executed function
Execution Graph export aborted for target PowerExpertNT.exe, PID 5480 because there are no executed function
Execution Graph export aborted for target WinTrackerSP.exe, PID 5732 because there are no executed function
Execution Graph export aborted for target file.exe, PID 2508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:04:58	Task Scheduler	Run new task: WinTrackerSP HR path: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
09:04:58	Task Scheduler	Run new task: WinTrackerSP LG path: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
09:05:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5 C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
09:05:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5 C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
09:05:17	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.42.66.10	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	5.42.66.10/api/flash.php
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	5.42.66.10/api/flash.php
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	5.42.66.10/download/th/Retailer_prog.exe
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	5.42.66.10/download/th/getimage15.php
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10/api/flash.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.50
	HwJWf67Y5h.exe	Get hash	malicious	RedLine	Browse	5.42.65.50
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	5.42.65.50
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.50
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	e8iuAWz9pB.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	e8iuAWz9pB.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	e8iuAWz9pB.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse

Created / dropped Files

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5857792
Entropy (8bit):	7.958973990519404
Encrypted:	false
SSDEEP:	98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7
MD5:	2019322EA56C5B80294770F6018BDDC1
SHA1:	19285ECD68A4D9B957F87502C555DAD437CFEB8F
SHA-256:	0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096
SHA-512:	092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 74%, Browse
Joe Sandbox View:	Filename: 7qAKRRMho6.exe, Detection: malicious, Browse Filename: 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe, Detection: malicious, Browse Filename: e8iuAWz9pB.exe, Detection: malicious, Browse Filename: 5zq2Yob8xh.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............'.....x.......e............@...................................Z...@..................................................................................................o. ......@............................................text...{........................... ..`.rdata...r..........................@..@.data....&...p......................@....vmp1024F.3.........................`..`.vmp1024.3Y...;..4Y.................`..`.reloc..............8Y.............@..@.rsrc............"...@Y.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5857792
Entropy (8bit):	7.958973990519404
Encrypted:	false
SSDEEP:	98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7
MD5:	2019322EA56C5B80294770F6018BDDC1
SHA1:	19285ECD68A4D9B957F87502C555DAD437CFEB8F
SHA-256:	0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096
SHA-512:	092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 74%, Browse
Joe Sandbox View:	Filename: 7qAKRRMho6.exe, Detection: malicious, Browse Filename: 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe, Detection: malicious, Browse Filename: e8iuAWz9pB.exe, Detection: malicious, Browse Filename: 5zq2Yob8xh.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............'.....x.......e............@...................................Z...@..................................................................................................o. ......@............................................text...{........................... ..`.rdata...r..........................@..@.data....&...p......................@....vmp1024F.3.........................`..`.vmp1024.3Y...;..4Y.................`..`.reloc..............8Y.............@..@.rsrc............"...@Y.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5857792
Entropy (8bit):	7.958973990519404
Encrypted:	false
SSDEEP:	98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7
MD5:	2019322EA56C5B80294770F6018BDDC1
SHA1:	19285ECD68A4D9B957F87502C555DAD437CFEB8F
SHA-256:	0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096
SHA-512:	092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 74%, Browse
Joe Sandbox View:	Filename: 7qAKRRMho6.exe, Detection: malicious, Browse Filename: 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe, Detection: malicious, Browse Filename: e8iuAWz9pB.exe, Detection: malicious, Browse Filename: 5zq2Yob8xh.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............'.....x.......e............@...................................Z...@..................................................................................................o. ......@............................................text...{........................... ..`.rdata...r..........................@..@.data....&...p......................@....vmp1024F.3.........................`..`.vmp1024.3Y...;..4Y.................`..`.reloc..............8Y.............@..@.rsrc............"...@Y.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\tmpSTLpopstart\stlmapfrog

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	modified
Size (bytes):	77
Entropy (8bit):	4.778431229862073
Encrypted:	false
SSDEEP:	3:7OoQGlha3FqbYoQGlzVouu+m:rQoGFqJQoZo1
MD5:	A2F48548E95FD7DEFDDEEE2C3954AE4F
SHA1:	42A6CE0B4F93142B900B6D131400AD328E1A91E6
SHA-256:	2EFF8E0A97F135F84D767E79B61A1BD34AEBE5A5B5C26801286287E621B125A0
SHA-512:	E49699DBA070DCABFA638B216201F52354EF1FEB48D3DAE5B0E56B2D7289EDBE642806AEEAFEC7618651937E27109F56439FE9A348C1604B646BF83CD6130398
Malicious:	false
Preview:	.sYYYY[....5.......0)[CY[HLMWHOWHILWJO[.sYYYY[....5.......-...[CYHNHJ@MKK@As.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Wed Apr 24 06:04:57 2024, mtime=Wed Apr 24 06:04:57 2024, atime=Wed Apr 24 06:04:54 2024, length=5857792, window=hide
Category:	dropped
Size (bytes):	1239
Entropy (8bit):	4.911150372803357
Encrypted:	false
SSDEEP:	24:8slfb8qJRNgKhCM/IT9NDAkmnYjAW4H4mAd1Xqygm:84QQR+MQT9SX6T1ayg
MD5:	3DE9D906466BDC6278D6F3D1F7650C7C
SHA1:	136E840E2A180FD3C1074A37C15BEABFEA7C8280
SHA-256:	8CDDA29B4FB1FB4F9622ABA101653F78A1F6E590D5B4442BDDC9EBD73DE20993
SHA-512:	1CF87CCE4A14F1DCD1995B9A6B603A01AEFC8A4CB1C155E3A352C7F87ED15E7A9D4F77B7AB2CE7A30D5DC8D8CF341D754CFEE329826B9600987812C430D0AC16
Malicious:	false
Preview:	L..................F.... ...........s.......{.......bY.....................0.:..DG..Yr?.D..U..k0.&...&...... M.....@F.......N.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X.8....B.....................Bdg.A.p.p.D.a.t.a...B.P.1......X.8..Local.<......DWSl.X.8....V........................L.o.c.a.l.....N.1......X.8..Temp..:......DWSl.X.8....\........................T.e.m.p.....d.1......X.8..POWERE~1..L......X.8.X.8....8.....................H...P.o.w.e.r.E.x.p.e.r.t.N.T.....p.2..bY..X.8 .POWERE~1.EXE..T......X.8.X.8....;......................>..P.o.w.e.r.E.x.p.e.r.t.N.T...e.x.e.......q...............-.......p............'!<.....C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe....P.o.w.e.r.E.x.p.e.r.t.N.T.<.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.P.o.w.e.r.E.x.p.e.r.t.N.T.\.P.o.w.e.r.E.x.p.e.r.t.N.T...e.x.e.........\|....I.J.H..K..:...`.......X.......468325...........hT..CrF.f4... .y2=.b...,...W..hT..Cr

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.958973990519404
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5'857'792 bytes
MD5:	2019322ea56c5b80294770f6018bddc1
SHA1:	19285ecd68a4d9b957f87502c555dad437cfeb8f
SHA256:	0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096
SHA512:	092b6a5e503da5057fb569ba439dff8dea9c79ce6a036f460543ebbc7eb5de9bc206f5283c26f9f38e4ed027fb9b99336c199c7446e9e1bb3b973e71e11683e0
SSDEEP:	98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7
TLSH:	F046237353710081D1E5883A56377EE872FB037E8F51B5382AE72DC436A66E8E623953
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............'.....x.......e............@...................................Z...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xc965d6
Entrypoint Section:	.vmp1024
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x660C03D4 [Tue Apr 2 13:10:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b92af7920132d9c164f3fefd70cac1d7

Entrypoint Preview

Instruction
push BAA6E76Ah
call 00007F16B4AE727Eh
jmp 00007F16B4AEA5D5h
jmp 00007F16B4C7BEDCh
inc ecx
clc
cmp ebx, 04h
jmp 00007F16B4A75FADh
test esp, edx
not eax
jmp 00007F16B4B0C377h
mov dx, word ptr [ebp+00h]
jmp 00007F16B474A2F2h
dec ecx
jmp 00007F16B4B8B91Eh
add esi, edx
jmp 00007F16B4C63112h
push edi
ret
jmp edi
jc 00007F16B4AE4207h
movzx edx, cl
dec al
shld ax, ax, 00000077h
bts ax, cx
mov eax, 38E38E39h
test ecx, 08BA2312h
cmp cx, 1CEBh
stc
mul edx
shr edx, 1
mov ax, dx
ror eax, 45h
movzx eax, dl
bsr dx, dx
btr edx, FFFFFFA7h
mov edx, eax
lea ecx, dword ptr [ecx+00h]
cmc
test sp, 67F5h
add cl, FFFFFFF7h
clc
cmc
sub eax, 01h
jmp 00007F16B4AE41ACh
mov eax, dword ptr [ebp+08h]
pop edi
jmp 00007F16B4AA79B7h
inc ecx
inc ebx
inc ecx
neg ebx
jmp 00007F16B4AAE3B5h
push edi
ret
jmp 00007F16B476087Fh
inc edx
jmp 00007F16B4B5CE71h
jmp edi
mov word ptr [esi+04h], dx
cmovnle dx, dx
mov dx, bp
bswap dx
pushfd
pop dword ptr [esi]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x83aef8	0xdc	.vmp1024
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x950000	0x49bb5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94f000	0x618	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6ffd88	0x20	.vmp1024
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x94def0	0x40	.vmp1024
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x88b000	0x80	.vmp1024
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6da7b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6f000	0x17200	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x87000	0x2698	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp1024	0x8a000	0x330e46	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1024	0x3bb000	0x5933f0	0x593400	ba6b512b8eafe58512a8ca98144253e1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x94f000	0x618	0x800	13badda7649731b81d32422fb18b4a27	False	0.4130859375	data	3.54613520452289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x950000	0x49bb5	0x2200	b1fb8a707a41cb257d4be4a268724e75	False	0.2672334558823529	data	3.1598133691010966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x952178	0x134	data	English	United States	0.08823529411764706
RT_CURSOR	0x9522ac	0x134	empty	English	United States	0
RT_CURSOR	0x9523e0	0x134	empty	English	United States	0
RT_CURSOR	0x952514	0x134	empty	English	United States	0
RT_CURSOR	0x952648	0x134	empty	English	United States	0
RT_CURSOR	0x95277c	0x134	empty	English	United States	0
RT_CURSOR	0x9528b0	0x134	empty	English	United States	0
RT_CURSOR	0x9529e4	0x134	empty	English	United States	0
RT_CURSOR	0x952b18	0x134	empty	English	United States	0
RT_CURSOR	0x952c4c	0x134	empty	English	United States	0
RT_CURSOR	0x952d80	0x134	empty	English	United States	0
RT_CURSOR	0x952eb4	0x134	empty	English	United States	0
RT_CURSOR	0x952fe8	0x134	empty	English	United States	0
RT_CURSOR	0x95311c	0xb4	empty	English	United States	0
RT_CURSOR	0x9531d0	0x134	empty	English	United States	0
RT_CURSOR	0x953304	0x134	empty	English	United States	0
RT_CURSOR	0x953438	0x134	empty	English	United States	0
RT_CURSOR	0x95356c	0x134	empty	English	United States	0
RT_CURSOR	0x9536a0	0x134	empty	English	United States	0
RT_CURSOR	0x9537d4	0x134	empty	English	United States	0
RT_CURSOR	0x953908	0x134	empty	English	United States	0
RT_CURSOR	0x953a3c	0x134	empty	English	United States	0
RT_CURSOR	0x953b70	0x134	empty	English	United States	0
RT_CURSOR	0x953ca4	0x134	empty	English	United States	0
RT_CURSOR	0x953dd8	0x134	empty	English	United States	0
RT_CURSOR	0x953f0c	0x134	empty	English	United States	0
RT_CURSOR	0x954040	0x134	empty	English	United States	0
RT_CURSOR	0x954174	0x134	empty	English	United States	0
RT_BITMAP	0x9542a8	0x189ea	empty	English	United States	0
RT_BITMAP	0x96cc94	0x62c	empty	English	United States	0
RT_BITMAP	0x96d2c0	0xe8	empty	English	United States	0
RT_BITMAP	0x96d3a8	0x4a0	empty	English	United States	0
RT_BITMAP	0x96d848	0x197a	empty	English	United States	0
RT_BITMAP	0x96f1c4	0xc8	empty	English	United States	0
RT_BITMAP	0x96f28c	0xc8	empty	English	United States	0
RT_BITMAP	0x96f354	0xc8	empty	English	United States	0
RT_BITMAP	0x96f41c	0xc8	empty	English	United States	0
RT_BITMAP	0x96f4e4	0x182a	empty	English	United States	0
RT_BITMAP	0x970d10	0x468	empty	English	United States	0
RT_BITMAP	0x971178	0x528	empty	English	United States	0
RT_BITMAP	0x9716a0	0x528	empty	English	United States	0
RT_BITMAP	0x971bc8	0x158	empty	English	United States	0
RT_BITMAP	0x971d20	0x188	empty	English	United States	0
RT_BITMAP	0x971ea8	0x1e8	empty	English	United States	0
RT_BITMAP	0x972090	0xad2	empty	English	United States	0
RT_BITMAP	0x972b64	0xad2	empty	English	United States	0
RT_BITMAP	0x973638	0xb0a	empty	English	United States	0
RT_BITMAP	0x974144	0x7e2	empty	English	United States	0
RT_BITMAP	0x974928	0xb0a	empty	English	United States	0
RT_BITMAP	0x975434	0x134	empty	English	United States	0
RT_BITMAP	0x975568	0x928	empty	English	United States	0
RT_BITMAP	0x975e90	0x32a	empty	English	United States	0
RT_BITMAP	0x9761bc	0x32a	empty	English	United States	0
RT_BITMAP	0x9764e8	0xc2a	empty	English	United States	0
RT_BITMAP	0x977114	0x20a	empty	English	United States	0
RT_BITMAP	0x977320	0x20a	empty	English	United States	0
RT_BITMAP	0x97752c	0x20a	empty	English	United States	0
RT_BITMAP	0x977738	0x20a	empty	English	United States	0
RT_BITMAP	0x977944	0x32a	empty	English	United States	0
RT_BITMAP	0x977c70	0x2256	empty	English	United States	0
RT_BITMAP	0x979ec8	0x602a	empty	English	United States	0
RT_BITMAP	0x97fef4	0x2028	empty	English	United States	0
RT_BITMAP	0x981f1c	0x13da	empty	English	United States	0
RT_BITMAP	0x9832f8	0x13da	empty	English	United States	0
RT_BITMAP	0x9846d4	0x13da	empty	English	United States	0
RT_BITMAP	0x985ab0	0xeb2	empty	English	United States	0
RT_BITMAP	0x986964	0x13da	empty	English	United States	0
RT_BITMAP	0x987d40	0x13da	empty	English	United States	0
RT_BITMAP	0x98911c	0x13da	empty	English	United States	0
RT_BITMAP	0x98a4f8	0x13da	empty	English	United States	0
RT_BITMAP	0x98b8d4	0xeb2	empty	English	United States	0
RT_BITMAP	0x98c788	0x13da	empty	English	United States	0
RT_BITMAP	0x98db64	0x5a66	empty	English	United States	0
RT_BITMAP	0x9935cc	0xb8	empty	English	United States	0
RT_BITMAP	0x993684	0x144	empty	English	United States	0
RT_MENU	0x9937c8	0x11c	empty	English	United States	0
RT_DIALOG	0x9938e4	0x144	empty	English	United States	0
RT_DIALOG	0x993a28	0x1f6	empty	English	United States	0
RT_DIALOG	0x993c20	0x13c	empty	English	United States	0
RT_DIALOG	0x993d5c	0x1a4	empty	English	United States	0
RT_DIALOG	0x993f00	0xe6	empty	English	United States	0
RT_DIALOG	0x993fe8	0x390	empty	English	United States	0
RT_DIALOG	0x994378	0x21c	empty	English	United States	0
RT_DIALOG	0x994594	0x390	empty	English	United States	0
RT_DIALOG	0x994924	0x1dc	empty	English	United States	0
RT_DIALOG	0x994b00	0x346	empty	English	United States	0
RT_DIALOG	0x994e48	0x334	empty	English	United States	0
RT_DIALOG	0x99517c	0x58	empty	English	United States	0
RT_DIALOG	0x9951d4	0x23c	empty	English	United States	0
RT_DIALOG	0x995410	0x1c2	empty	English	United States	0
RT_DIALOG	0x9955d4	0x160	empty	English	United States	0
RT_DIALOG	0x995734	0xb2	empty	English	United States	0
RT_DIALOG	0x9957e8	0x3d4	empty	English	United States	0
RT_DIALOG	0x995bbc	0x19e	empty	English	United States	0
RT_DIALOG	0x995d5c	0x1a2	empty	English	United States	0
RT_DIALOG	0x995f00	0x34	empty	English	United States	0
RT_DIALOG	0x995f34	0x2a8	empty	English	United States	0
RT_DIALOG	0x9961dc	0x382	empty	English	United States	0
RT_DIALOG	0x996560	0xe8	empty	English	United States	0
RT_DIALOG	0x996648	0x34	empty	English	United States	0
RT_STRING	0x99667c	0x4c	empty	English	United States	0
RT_STRING	0x9966c8	0x32c	empty	English	United States	0
RT_STRING	0x9969f4	0x248	empty	English	United States	0
RT_STRING	0x996c3c	0x84	empty	English	United States	0
RT_STRING	0x996cc0	0x2a8	empty	English	United States	0
RT_STRING	0x996f68	0x20e	empty	English	United States	0
RT_STRING	0x997178	0x24c	empty	English	United States	0
RT_STRING	0x9973c4	0x3c	empty	English	United States	0
RT_STRING	0x997400	0x16e	empty	English	United States	0
RT_STRING	0x997570	0xa6	empty	English	United States	0
RT_STRING	0x997618	0x184	empty	English	United States	0
RT_STRING	0x99779c	0x66	empty	English	United States	0
RT_STRING	0x997804	0x1d6	empty	English	United States	0
RT_STRING	0x9979dc	0x186	empty	English	United States	0
RT_STRING	0x997b64	0xb2	empty	English	United States	0
RT_STRING	0x997c18	0x48	empty	English	United States	0
RT_STRING	0x997c60	0x18c	empty	English	United States	0
RT_STRING	0x997dec	0x82	empty	English	United States	0
RT_STRING	0x997e70	0x2a	empty	English	United States	0
RT_STRING	0x997e9c	0x184	empty	English	United States	0
RT_STRING	0x998020	0x4ee	empty	English	United States	0
RT_STRING	0x998510	0x264	empty	English	United States	0
RT_STRING	0x998774	0x2da	empty	English	United States	0
RT_STRING	0x998a50	0x8a	empty	English	United States	0
RT_STRING	0x998adc	0xac	empty	English	United States	0
RT_STRING	0x998b88	0xde	empty	English	United States	0
RT_STRING	0x998c68	0x4a8	empty	English	United States	0
RT_STRING	0x999110	0x228	empty	English	United States	0
RT_STRING	0x999338	0x2c	empty	English	United States	0
RT_STRING	0x999364	0x53e	empty	English	United States	0
RT_GROUP_CURSOR	0x9998a4	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9998b8	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9998cc	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9998e0	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9998f4	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999908	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x99991c	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999930	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999944	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999958	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x99996c	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999980	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999994	0x22	empty	English	United States	0
RT_GROUP_CURSOR	0x9999b8	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9999cc	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9999e0	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x9999f4	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a08	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a1c	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a30	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a44	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a58	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a6c	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a80	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999a94	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999aa8	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x999abc	0x14	empty	English	United States	0
RT_MANIFEST	0x951ea0	0x2d5	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5020689655172413
None	0x999ad0	0xe5	empty	English	United States	0

Imports

DLL	Import
KERNEL32.dll	Sleep
ADVAPI32.dll	GetUserNameA
SHELL32.dll	ShellExecuteA
ole32.dll	CoCreateInstance
WS2_32.dll	send
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetProcessWindowStation
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-09:04:58.222569	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50505	49704	5.42.66.10	192.168.2.5
04/24/24-09:04:58.912086	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49704	50505	192.168.2.5	5.42.66.10
04/24/24-09:05:03.048335	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49704	50505	192.168.2.5	5.42.66.10

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 09:04:57.560302973 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:57.891004086 CEST	50505	49704	5.42.66.10	192.168.2.5
Apr 24, 2024 09:04:57.891220093 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:58.222568989 CEST	50505	49704	5.42.66.10	192.168.2.5
Apr 24, 2024 09:04:58.266952038 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:58.912086010 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:59.286880016 CEST	50505	49704	5.42.66.10	192.168.2.5
Apr 24, 2024 09:04:59.329447031 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:59.584568977 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:04:59.915158987 CEST	50505	49704	5.42.66.10	192.168.2.5
Apr 24, 2024 09:04:59.970065117 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:05:03.048335075 CEST	49704	50505	192.168.2.5	5.42.66.10
Apr 24, 2024 09:05:03.379144907 CEST	50505	49704	5.42.66.10	192.168.2.5
Apr 24, 2024 09:05:03.423161983 CEST	49704	50505	192.168.2.5	5.42.66.10

Target ID:	0
Start time:	09:04:55
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xea0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:04:57
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xd30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:04:57
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:04:57
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xd30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:04:57
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:04:58
Start date:	24/04/2024
Path:	C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Imagebase:	0xd70000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:04:59
Start date:	24/04/2024
Path:	C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
Imagebase:	0xd70000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:05:09
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Imagebase:	0x1a0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:05:10
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Imagebase:	0x1a0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:05:17
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Imagebase:	0x1a0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:05:18
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe"
Imagebase:	0x1a0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:05:25
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe"
Imagebase:	0x4c0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:05:26
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe"
Imagebase:	0x4c0000
File size:	5'857'792 bytes
MD5 hash:	2019322EA56C5B80294770F6018BDDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00EAC790 Relevance: 2.5, Strings: 2, Instructions: 30COMMON

Download Yara Rule

Strings

5.42.66.10, xrefs: 00EAC7C9
50505, xrefs: 00EAC7BC

Memory Dump Source

Source File: 00000000.00000002.3271616619.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.3271597881.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271699313.0000000000F27000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271713510.0000000000F2A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271744604.0000000000F4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271768108.0000000000F55000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.00000000017EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.000000000181A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_file.jbxd

Similarity

API ID:
String ID: 5.42.66.10$50505
API String ID: 0-2257907482
Opcode ID: 2a644ad97705dcb2cceb00db5b180263c7b57c3b3b5d181857f793e6d7612f79
Instruction ID: c1ff9c11ff08e4f1988a9005b2c6ef4280e5dc918646fcd0a2f2793e43bb2716
Opcode Fuzzy Hash: 2a644ad97705dcb2cceb00db5b180263c7b57c3b3b5d181857f793e6d7612f79
Instruction Fuzzy Hash: C8F0B474A002089BCB01EFB8D812A9E7BF5DF45324F205258E5186F3D1DB715E019FD1

Uniqueness

Uniqueness Score: -1.00%

Function 00EADAB0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3271616619.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.3271597881.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271699313.0000000000F27000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271713510.0000000000F2A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271744604.0000000000F4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271768108.0000000000F55000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.00000000017EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.000000000181A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12af8222340682843f12a61e727801c54e83ce9a6374af53a67abca88ee753a4
Instruction ID: a686e82c18e19ed9a7f2905067d490ae738cee56e9588accf9b158beda2a09f6
Opcode Fuzzy Hash: 12af8222340682843f12a61e727801c54e83ce9a6374af53a67abca88ee753a4
Instruction Fuzzy Hash: 1D012670904345AAD630ABA89C47F593268E70AB34F240314B1307A6F0D3FE6442DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00EAC7F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3271616619.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.3271597881.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271675372.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271699313.0000000000F27000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271713510.0000000000F2A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271744604.0000000000F4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3271768108.0000000000F55000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.00000000017EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272486169.000000000181A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001132032f36c2a1ceb2f91d7c48a9e30744c8488491816b5ca42b1a89ec3d8f
Instruction ID: 982d3b9fcc24e01afb76d3835d3d37555ec0bf6f244793c8ff6216eff2758fd4
Opcode Fuzzy Hash: 001132032f36c2a1ceb2f91d7c48a9e30744c8488491816b5ca42b1a89ec3d8f
Instruction Fuzzy Hash: 35E04F70D40308BFDB54EF94C886BEDBBB8AB09700F10C1A9F909AB2C0D7B057448B95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe:Zone.Identifier

C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe

C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\tmpSTLpopstart\stlmapfrog

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Statistics

Windows Analysis Report
file.exe