Edit tour

Windows Analysis Report
Scan.exe

Overview

General Information

Sample name:	Scan.exe
Analysis ID:	1431280
MD5:	42832db85ef430c08794a3b8125c6739
SHA1:	a9e8838247edac1e67a61406839b1c05821735f9
SHA256:	5a351a6f459836b952ae45a564add378ddad3b6b725e7b63f831b84f679c3818
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Scan.exe (PID: 2380 cmdline: "C:\Users\user\Desktop\Scan.exe" MD5: 42832DB85EF430C08794A3B8125C6739)

conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Scan.exe PID: 2380	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Scan.exe PID: 2380	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Scan.exe

ReversingLabs: Detection: 13%

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan.exe PID: 2380, type: MEMORYSTR

Source: Scan.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Scan.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F3C2D9	0_2_00007FF848F3C2D9
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F3F2E9	0_2_00007FF848F3F2E9
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F32130	0_2_00007FF848F32130
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F34B08	0_2_00007FF848F34B08
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F453D8	0_2_00007FF848F453D8
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F39690	0_2_00007FF848F39690
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F39698	0_2_00007FF848F39698
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F31099	0_2_00007FF848F31099
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F3C761	0_2_00007FF848F3C761
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F44C19	0_2_00007FF848F44C19
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F45431	0_2_00007FF848F45431
Source: C:\Users\user\Desktop\Scan.exe	Code function: 0_2_00007FF848F40C8A	0_2_00007FF848F40C8A

Source: Scan.exe

Static PE information: No import functions for PE file found

Source: Scan.exe, 00000000.00000000.1978205571.00000123279D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAracewed: vs Scan.exe
Source: Scan.exe	Binary or memory string: OriginalFilenameAracewed: vs Scan.exe

Source: classification engine

Classification label: mal76.expl.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\Scan.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03

Source: Scan.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Scan.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\Scan.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Scan.exe

File read: C:\Users\user\Desktop\Scan.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scan.exe "C:\Users\user\Desktop\Scan.exe"
Source: C:\Users\user\Desktop\Scan.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\Scan.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Scan.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Scan.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Scan.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Scan.exe

Static PE information: 0xC318C86A [Thu Sep 21 01:01:30 2073 UTC]

Source: C:\Users\user\Desktop\Scan.exe

Code function: 0_2_00007FF84900026B push esp; retf 4810h

0_2_00007FF849000312

Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Scan.exe PID: 2380, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Scan.exe	Memory allocated: 12327EA0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Memory allocated: 12341740000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe	Window / User API: threadDelayed 1628			Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe	Window / User API: threadDelayed 8343			Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe TID: 2520	Thread sleep count: 1628 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe TID: 2520	Thread sleep time: -1628000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe TID: 2788	Thread sleep count: 8343 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan.exe TID: 2788	Thread sleep time: -8343000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Scan.exe, 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Scan.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\Scan.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Scan.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Scan.exe, setPercentGroupSeparatorDefaultMemberAttribute.cs	Reference to suspicious API methods: ((DigitShapesCollapsed)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(WriteWaiterSignaledAction14(UseUserOverrideFunc7.AnsiCodePageSTAThreadAttribute)), WriteWaiterSignaledAction14(UseUserOverrideFunc7.setNumberDecimalSeparatorWriteHalfLittleEndian)), typeof(DigitShapesCollapsed)))("Address", out var _)
Source: Scan.exe, setPercentGroupSeparatorDefaultMemberAttribute.cs	Reference to suspicious API methods: ((DigitShapesCollapsed)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(WriteWaiterSignaledAction14(UseUserOverrideFunc7.AnsiCodePageSTAThreadAttribute)), WriteWaiterSignaledAction14(UseUserOverrideFunc7.setNumberDecimalSeparatorWriteHalfLittleEndian)), typeof(DigitShapesCollapsed)))("Address", out var _)
Source: Scan.exe, setPercentGroupSeparatorDefaultMemberAttribute.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var EnsureSufficientExecutionStackgetFullyQualifiedName)

Source: C:\Users\user\Desktop\Scan.exe

Queries volume information: C:\Users\user\Desktop\Scan.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Scan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	121 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Scan.exe	13%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431280
Start date and time:	2024-04-24 19:15:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan.exe
Detection:	MAL
Classification:	mal76.expl.evad.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 15 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Scan.exe

Simulations

Behavior and APIs

Time	Type	Description
19:16:23	API Interceptor	1483821x Sleep call for process: Scan.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.988940440788159
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	Scan.exe
File size:	621'949 bytes
MD5:	42832db85ef430c08794a3b8125c6739
SHA1:	a9e8838247edac1e67a61406839b1c05821735f9
SHA256:	5a351a6f459836b952ae45a564add378ddad3b6b725e7b63f831b84f679c3818
SHA512:	b63cee7040bba9071af33e8443578f470bdef4187d0c829ce731d1b2b829b5d3aff9d697401fa2518ed20f69cb36803987a1ebc0ef9f5b4a274c89b107bce3ed
SSDEEP:	12288:n2ye0UL1HmM2i3M27fC7YYwcxHvuUTkqFnSw1bKteUOIgX7hISySSL:9eZBHmMNM27fFcFuKkqFnS6Gtx4X7OSC
TLSH:	21D42382AECB4FAAEFB7873D5CE7C1163331F79556BAC20F1A6490752AC17118364389
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...j............."...0.@G............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC318C86A [Thu Sep 21 01:01:30 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0xbc4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6682	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4740	0x4800	9331bd2fb09a6e2d2cfc93bdd459b76f	False	0.5166558159722222	data	5.845232931641596	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0xbc4	0xc00	a0b0daaf4359ed19da096d2f6cfbc843	False	0.2975260416666667	data	4.087863214616218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80b8	0x490	data			0.4794520547945205
RT_VERSION	0x8548	0x490	data	English	United States	0.4794520547945205
RT_MANIFEST	0x89d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Scan.exePID: 2380, Parent PID: 1028

General

Target ID:	0
Start time:	19:15:49
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\Scan.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Scan.exe"
Imagebase:	0x123279d0000
File size:	621'949 bytes
MD5 hash:	42832DB85EF430C08794A3B8125C6739
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4451724749.000001232976D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5020, Parent PID: 2380

General

Target ID:	1
Start time:	19:15:49
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Scan.exePID: 2380, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF848F39698 Relevance: 5.4, Strings: 3, Instructions: 1655COMMON

Download Yara Rule

Strings

$t9, xrefs: 00007FF848F4182C
x6t9, xrefs: 00007FF848F4156B
x6t9, xrefs: 00007FF848F41590

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: $t9$x6t9$x6t9
API String ID: 0-3224664513
Opcode ID: bf0b20d303143d75ca3f08b2ba88a7c2422eb7f0994f77f4f4bf4cde6cdbb900
Instruction ID: 520049b4245120eecead3fd15e96df8508434a131bbd896a60135712906fb173
Opcode Fuzzy Hash: bf0b20d303143d75ca3f08b2ba88a7c2422eb7f0994f77f4f4bf4cde6cdbb900
Instruction Fuzzy Hash: B2C2C430A0DA598FE799EB28C455AB877E1FF65740F1400BAD04ED72E2DF28AC85CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3F2E9 Relevance: 5.4, Strings: 3, Instructions: 1652COMMON

Download Yara Rule

Strings

x6t9, xrefs: 00007FF848F400B9
#L_L, xrefs: 00007FF848F4016D
x6t9, xrefs: 00007FF848F3FFA9

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: #L_L$x6t9$x6t9
API String ID: 0-242472046
Opcode ID: 89b9e102f554a39c60538bc4f280ac5df41caa8ea2e8993299ed699013132ace
Instruction ID: 31a9fd62a20805aefdba168a842baf4aef3eae849f5ca1c31079009e9a97e989
Opcode Fuzzy Hash: 89b9e102f554a39c60538bc4f280ac5df41caa8ea2e8993299ed699013132ace
Instruction Fuzzy Hash: 6EB22230A1CB494FE359EB2884914B5B7E1FF95341F1445BED88AC72E6DF38A846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31099 Relevance: 4.1, Strings: 3, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"33, xrefs: 00007FF848F31186
Zt9, xrefs: 00007FF848F31337
Zt9, xrefs: 00007FF848F3137D

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: "33$Zt9$Zt9
API String ID: 0-1349775563
Opcode ID: b54ef3b3922c7e24ecc54cd22040fa24e516c591dda75365943f475e3733105c
Instruction ID: b751a25bd71451748390d629598ca11ad43b3f83c74a63a1680ccb95107bb8b0
Opcode Fuzzy Hash: b54ef3b3922c7e24ecc54cd22040fa24e516c591dda75365943f475e3733105c
Instruction Fuzzy Hash: 06A1E523B1E5699ED741B77CB8151E97B60EF863B5B0402B7D188CB0D3DE1CA44683A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F32130 Relevance: 3.2, Strings: 2, Instructions: 728
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fH, xrefs: 00007FF848F35670
d, xrefs: 00007FF848F3539F

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: fH$d
API String ID: 0-722599082
Opcode ID: 93c7f9932e4ce7fcc14f645e12245ea814f86bc51e9774ef4f4ada40972ccfbb
Instruction ID: 7d921e02655775470bf91d3a4da5176c17628c8aea7641c086f5cdb23ec20418
Opcode Fuzzy Hash: 93c7f9932e4ce7fcc14f645e12245ea814f86bc51e9774ef4f4ada40972ccfbb
Instruction Fuzzy Hash: BD223331A1CA4A4FE349EB2894825B177E1FF99354F1442BAC44AC72D7EE29F843C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F34B08 Relevance: 3.1, Strings: 2, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FF848F34CA0
h_H, xrefs: 00007FF848F34CE0

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: fish$h_H
API String ID: 0-944816005
Opcode ID: 8f4fb1257fa4b8f57028e910264c6a50856a95dab8564add2ca956e159b3ee12
Instruction ID: d0a13561780177b0c701020a6a93c7f61432538fd962e8c05cc00149957e04ca
Opcode Fuzzy Hash: 8f4fb1257fa4b8f57028e910264c6a50856a95dab8564add2ca956e159b3ee12
Instruction Fuzzy Hash: 15023B31E0DA864FE359AB78A8151B577E0FFA6390F0441BFD08AC71D7EE18AD068385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3C761 Relevance: 1.4, Instructions: 1440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e031b795e7888c00cb6ac9009f3f0f047799b37601184d05fed1c829c95ee74
Instruction ID: 0125e4334fa607adaf52092d3f0c744f3f0d69bad0a3d1c0ca14001bd204ef18
Opcode Fuzzy Hash: 3e031b795e7888c00cb6ac9009f3f0f047799b37601184d05fed1c829c95ee74
Instruction Fuzzy Hash: 46A2133091CB4A8FE719EB28C4944A5BBE1FF95341F1445BED48AC72A6EB38E946C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F453D8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

mZM , xrefs: 00007FF848F45534

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: mZM
API String ID: 0-4154083876
Opcode ID: 6d4a0f1f4c1c55948fe542fd0737e9e84c8cfe60cad26461622147cbb55a8d78
Instruction ID: bf175ba3a254b07fba58e150d6f97052e5ace1dc2862b9fdd574bbf8f3643c52
Opcode Fuzzy Hash: 6d4a0f1f4c1c55948fe542fd0737e9e84c8cfe60cad26461622147cbb55a8d78
Instruction Fuzzy Hash: B5415C3250D3890FD71EAB7488521B57BE6EB82320F1582BFD086C71E7DE2868478392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F45431 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

mZM , xrefs: 00007FF848F45534

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID: mZM
API String ID: 0-4154083876
Opcode ID: fb6c1cb70a80bdd66df22e851e29b8161b0c641de98b03ab97bdfd4844636ae7
Instruction ID: 87d18200c7f19de12763284b4f8cd3518b1c8ca8ede77cc58ca4cabfee3c59bf
Opcode Fuzzy Hash: fb6c1cb70a80bdd66df22e851e29b8161b0c641de98b03ab97bdfd4844636ae7
Instruction Fuzzy Hash: 21413B3190D7891FD71EAF7488511A67FE6EB86310F1582BFD08ACB1E7DE3858468392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F40C8A Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a34dd43ce6e41482de63346f6088323f992809a94c2614285bdaba33acbeea0
Instruction ID: eb0bd3295d777a51cb4317bba44620071a93beb9b1a513ed4a99793db058b208
Opcode Fuzzy Hash: 0a34dd43ce6e41482de63346f6088323f992809a94c2614285bdaba33acbeea0
Instruction Fuzzy Hash: 42723430A1CB5A4FE359EB2884415B577E1FFA5340F1446BED48AC72E6DF28E886C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F39690 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7545d771d6e13572728b40fe7501fbf9e2773f1dcc8bdf68fab42c99a6a727a5
Instruction ID: cc0737bf5f17a814b142a781c9d254ab0346749b3568393320f2842758b322ea
Opcode Fuzzy Hash: 7545d771d6e13572728b40fe7501fbf9e2773f1dcc8bdf68fab42c99a6a727a5
Instruction Fuzzy Hash: 4B52B330A1CA098FDB68FB289495A7977E1FF59341F1401BEE44AC76D2DF24EC428B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3C2D9 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5379bd3eefaae1342e9c15a114eaf618e48eca062696c6806fe3e06e9b9d6bd
Instruction ID: 8e31b62d87afef47d5a47c26e48d1296ac00eddf6a6962f9e904b85710458f06
Opcode Fuzzy Hash: c5379bd3eefaae1342e9c15a114eaf618e48eca062696c6806fe3e06e9b9d6bd
Instruction Fuzzy Hash: 30F1643190CB864FE319DB2884A51B5B7D2FF95341F1446BFD4CAC72E2EF28A8428785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F32DC0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF848F32FB1

Strings

$, xrefs: 00007FF848F32DEE

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID: LibraryLoad
String ID: $
API String ID: 1029625771-3993045852
Opcode ID: 1e7b205c1748be15e33084565695b3758b013b0400b9e3fffe6e2eb1da7f714e
Instruction ID: 014a2620e7faf4f202acf43666ccebaab1ec5fb2d4b6f3de3b13a091fdbd1982
Opcode Fuzzy Hash: 1e7b205c1748be15e33084565695b3758b013b0400b9e3fffe6e2eb1da7f714e
Instruction Fuzzy Hash: 7E81C23090CA4D8FEB98EF28D8567A57BE1FF59351F14427BE80DC7292CB74A8458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF84900026B Relevance: 2.3, Strings: 1, Instructions: 1051COMMON

Download Yara Rule

Strings

A, xrefs: 00007FF849000786

Memory Dump Source

Source File: 00000000.00000002.4459305751.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_Scan.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: fac0287f822eb43272a190d9cf534e993ad9d3b8b6e85088e5fdcdd0b51c6393
Instruction ID: 64e2e2b086f94929b2ed1291777bfb541f3a3b82492447c369a097b696dd9908
Opcode Fuzzy Hash: fac0287f822eb43272a190d9cf534e993ad9d3b8b6e85088e5fdcdd0b51c6393
Instruction Fuzzy Hash: A6620A72C0DAC64FEB66EB2498555B4BBB0FF56344F1845FAC089CB093FA28A846C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F333C4 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FF848F33481

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1c5f7ec304c128321b4a553cfa68231a5f0664f68328f8db52dc7bb1cf4b9bc1
Instruction ID: c165684e3e3d3aaa7d1aa7f5b5703e3dde58b44f565e151426215ac26caf19ee
Opcode Fuzzy Hash: 1c5f7ec304c128321b4a553cfa68231a5f0664f68328f8db52dc7bb1cf4b9bc1
Instruction Fuzzy Hash: 0031E53190CA4C9FDB18EBA8984A6F9BBE1FB55321F04426FD049C3292CB646856CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F30925 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 00007FF848F309AF

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 2f92f1b603840c8bed0f5acedd8eb04975eabc4a9ce049f4abe9c7a40661701e
Instruction ID: 8f657afa81bb30b6bbcb055cf10257250a12d13d8eaeb3e76302b08b39fd5a2b
Opcode Fuzzy Hash: 2f92f1b603840c8bed0f5acedd8eb04975eabc4a9ce049f4abe9c7a40661701e
Instruction Fuzzy Hash: D021717190CA088FEB68EF59D84A7EA7BE0EB65311F00416FD049C3592DB75A445CB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF848F44C19 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458653382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_Scan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baffe8d3a2089e7b67b94371784351bc3b486da3339cf44f604c8b8c7bc5ad57
Instruction ID: 256d2ba639abead19d433ef12c81364d16f698cc5293ba65a67a4dd48b3dd73e
Opcode Fuzzy Hash: baffe8d3a2089e7b67b94371784351bc3b486da3339cf44f604c8b8c7bc5ad57
Instruction Fuzzy Hash: 3F512232A0D3950FD31EAA385C550A27FA5EBA722471A82EFD0C6CF1E7E514980B8391

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Scan.exePID: 2380, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 5020, Parent PID: 2380

General

Chronological Activities

Disassembly

Analysis Process: Scan.exePID: 2380, Parent PID: 1028COMMON

Windows Analysis Report
Scan.exe

Function 00007FF848F31099 Relevance: 4.1, Strings: 3, Instructions: 361
COMMON

Function 00007FF848F32130 Relevance: 3.2, Strings: 2, Instructions: 728
COMMON

Function 00007FF848F34B08 Relevance: 3.1, Strings: 2, Instructions: 630
COMMON

Function 00007FF848F32DC0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267
libraryCOMMON