Edit tour

Windows Analysis Report
cr0wdik.exe

Overview

General Information

Sample name:	cr0wdik.exe
Analysis ID:	1431502
MD5:	5524a506c0c49d3df2570808a38c3895
SHA1:	576011c0810f286b8945aaae9cd8656b75268bf6
SHA256:	7f51b7de954a8b4c25429c584ea282b9b6d7321a9032e4524f7c7ac38776dfcc
Errors No process behavior to analyse as no analysis process or sample was found

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cr0wdik.exe

Avira: detected

Source: cr0wdik.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cr0wdik.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: cr0wdik.exe

Source: cr0wdik.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: cr0wdik.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: cr0wdik.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: cr0wdik.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: cr0wdik.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: cr0wdik.exe	String found in binary or memory: http://ocsp.comodoca.com0&
Source: cr0wdik.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: cr0wdik.exe	String found in binary or memory: http://s.360safe.com/safei18n/
Source: cr0wdik.exe	String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen
Source: cr0wdik.exe	String found in binary or memory: https://sectigo.com/CPS0D

Source: cr0wdik.exe

Binary or memory string: OriginalFilenameSandboxMain.exe8 vs cr0wdik.exe

Source: cr0wdik.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cr0wdik.exe

Binary string: K`XD%machinename%%UserProfile%*\Documents and Settings\*\Local Settings\Temp\**\Documents and Settings\*\Local Settings\Temporary Internet Files\**\Documents and Settings\*\Cookies\**\AppData\Local\Temp\**\AppData\Roaming\Microsoft\Windows\Cookies\*.wmv.rmvb.rm.mpg.mp4.mov.mkv.flv.avi.3gp.wma.ra.mp3.ogg.mka.m4a.ac3.aac.xlsx.xls.pptx.ppt.txt.pdf.docx.doc..CacheSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders360SANDBOX\SHADOW360sandbox\filelist_page.xml::{26EE0668-A00A-44D7-9371-BEB064C98683}IDS_MEDIA_LIST_DESCIDS_DOCUMENT_LIST_DESCIDS_DELETE_PROMPT_MSGPreferred DropEffectIDS_COPY_PRMPT360SandBox\Shadow360SANDBOX\SHADOW\IDS_UPPER_FOLDERIDS_DATE_TIME_FMT%Y-%m-%d %H:%MC:\sxin.dllsxin64.dllSxWrapper.dllWINDOWS\SXIn.dllIDS_CRITICAL_FILE_PROMPT_MSG\Device\FloppyX

Source: classification engine

Classification label: mal48.winEXE@0/0@0/0

Source: cr0wdik.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cr0wdik.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: cr0wdik.exe

Static file information: File size 800000000 > 1048576

Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cr0wdik.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cr0wdik.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: cr0wdik.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: cr0wdik.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cr0wdik.exe	100%	Avira	HEUR/AGEN.1320513

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	cr0wdik.exe	false	URL Reputation: safe	unknown
http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen	cr0wdik.exe	false		high
http://ocsp.sectigo.com0	cr0wdik.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	cr0wdik.exe	false	URL Reputation: safe	unknown
http://s.360safe.com/safei18n/	cr0wdik.exe	false		high
https://sectigo.com/CPS0D	cr0wdik.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431502
Start date and time:	2024-04-25 10:54:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	0
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	cr0wdik.exe
Detection:	MAL
Classification:	mal48.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Errors

No process behavior to analyse as no analysis process or sample was found

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.025967928040329075
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cr0wdik.exe
File size:	800'000'000 bytes
MD5:	5524a506c0c49d3df2570808a38c3895
SHA1:	576011c0810f286b8945aaae9cd8656b75268bf6
SHA256:	7f51b7de954a8b4c25429c584ea282b9b6d7321a9032e4524f7c7ac38776dfcc
SHA512:	845cf6700361e9a579f01afa4fc085f8b4c6ca6005549117e5a3830448dbfdb0f2385efcc762eaf568fcd2520f39c700582a58bd06c1e9eb49176e402885ea66
SSDEEP:
TLSH:
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W.............A..................................y............A.......A..........8...........................Rich...........

Static PE Info

General

Entrypoint:	0x484599
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x61CBE252 [Wed Dec 29 04:21:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	589d5431ef7b1cc3537e4bce607e5a48

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FEDC91BDD6Ah
jmp 00007FEDC91ADCFEh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp+0Ch]
mov ecx, dword ptr [esp+04h]
test edx, edx
je 00007FEDC91ADEEBh
xor eax, eax
mov al, byte ptr [esp+08h]
test al, al
jne 00007FEDC91ADE98h
cmp edx, 00000100h
jc 00007FEDC91ADE90h
cmp dword ptr [004D29ECh], 00000000h
je 00007FEDC91ADE87h
jmp 00007FEDC91BDE19h
push edi
mov edi, ecx
cmp edx, 04h
jc 00007FEDC91ADEB3h
neg ecx
and ecx, 03h
je 00007FEDC91ADE8Eh
sub edx, ecx
mov byte ptr [edi], al
add edi, 01h
sub ecx, 01h
jne 00007FEDC91ADE78h
mov ecx, eax
shl eax, 08h
add eax, ecx
mov ecx, eax
shl eax, 10h
add eax, ecx
mov ecx, edx
and edx, 03h
shr ecx, 02h
je 00007FEDC91ADE88h
rep stosd
test edx, edx
je 00007FEDC91ADE8Ch
mov byte ptr [edi], al
add edi, 01h
sub edx, 01h
jne 00007FEDC91ADE78h
mov eax, dword ptr [esp+08h]
pop edi
ret
mov eax, dword ptr [esp+04h]
ret
int3
int3
push 00484690h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004C9614h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], 000000FEh

Rich Headers

Programming Language:

[C++] VS2005 build 50727
[ASM] VS2008 SP1 build 30729
[C++] VS2008 build 21022
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc5b3c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x718dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13de00	0x2c30	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x8390	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa7b80	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb7ff0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa7000	0x7f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa6000	0xa5c00	cfa501fcee61a4f54cd2bd96af7caeb4	False	0.5107407145550528	data	6.725976260581619	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa7000	0x22000	0x21800	62a03995eb91942b1ce36066c931dab6	False	0.3590616254664179	data	5.060022858539004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc9000	0xb000	0x4c00	6164a2ab25e1d08b6fe7876af9635b55	False	0.2515933388157895	data	4.46748708080796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x718dc	0x71a00	510d68410186ff585e0b84769cf4b3a7	False	0.5334738551980198	data	6.900584843089922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0xd44bc	0xbe36	PC bitmap, Windows 3.x format, 6244 x 2 x 41, image size 49121, cbSize 48694, bits offset 54			0.704542654125765
RT_ICON	0xe02f4	0xacb8	PC bitmap, Windows 3.x format, 5810 x 2 x 53, image size 44297, cbSize 44216, bits offset 54			0.5052695856703455
RT_ICON	0xeafac	0x78b5	PC bitmap, Windows 3.x format, 4675 x 2 x 39, image size 31020, cbSize 30901, bits offset 54			0.46985534448723343
RT_ICON	0xf2864	0x7ae2	PC bitmap, Windows 3.x format, 4330 x 2 x 42, image size 31607, cbSize 31458, bits offset 54			0.538177887977621
RT_ICON	0xfa348	0x40fa6	PC bitmap, Windows 3.x format, 33791 x 2 x 45, image size 266630, cbSize 266150, bits offset 54			0.5021491640052602
RT_ICON	0x13b2f0	0x4aab	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9882291394193042
RT_ICON	0x13fd9c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27188796680497923
RT_ICON	0x142344	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3395872420262664
RT_ICON	0x1433ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3395390070921986
RT_ICON	0x143854	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_ICON	0x143cbc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ACCELERATOR	0x144564	0x8	data	English	United States	2.0
RT_RCDATA	0x14456c	0x80	data	English	United States	1.0859375
RT_GROUP_ICON	0x1445ec	0x3e	data	English	United States	0.8064516129032258
RT_GROUP_ICON	0x14462c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x144640	0x14	data	English	United States	1.25
RT_VERSION	0x144654	0x338	data	Chinese	Taiwan	0.45145631067961167
RT_VERSION	0x14498c	0x338	data	English	United States	0.45145631067961167
RT_VERSION	0x144cc4	0x338	data	Portuguese	Brazil	0.45145631067961167
RT_VERSION	0x144ffc	0x338	data	Turkish	Turkey	0.4526699029126214
RT_VERSION	0x145334	0x338	data	Chinese	China	0.45145631067961167
RT_MANIFEST	0x14566c	0x26e	ASCII text, with CRLF line terminators	English	United States	0.5176848874598071

Imports

DLL	Import
KERNEL32.dll	FindNextVolumeW, FindVolumeClose, GetFileAttributesW, CreateThread, ExitProcess, GetProcessTimes, CompareFileTime, GetLongPathNameW, GetDiskFreeSpaceExW, GetTempFileNameW, SetFilePointer, HeapAlloc, HeapFree, GetProcessHeap, WriteFile, TerminateProcess, OpenMutexW, LoadLibraryA, DeviceIoControl, ReleaseMutex, SystemTimeToFileTime, FileTimeToSystemTime, GetModuleHandleA, HeapWalk, HeapLock, OpenThread, HeapUnlock, OutputDebugStringW, GetFileSizeEx, SetFilePointerEx, LocalFileTimeToFileTime, lstrcmpiA, GetTimeZoneInformation, SetEnvironmentVariableA, CompareStringW, QueryDosDeviceW, CreateFileA, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetLocaleInfoW, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetStringTypeA, FlushFileBuffers, GetConsoleMode, FreeResource, FindFirstVolumeW, GetFileType, SetHandleCount, GetDateFormatA, GetTimeFormatA, HeapCreate, GetModuleFileNameA, GetStdHandle, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetACP, GetStringTypeW, LCMapStringW, LCMapStringA, RtlUnwind, GetStartupInfoW, GetCPInfo, GetSystemTimeAsFileTime, ExitThread, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, lstrlenA, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapSize, HeapReAlloc, HeapDestroy, FindNextFileW, FindClose, FindFirstFileW, GetShortPathNameW, CompareStringA, GetVolumePathNamesForVolumeNameW, GetSystemWindowsDirectoryW, SetLastError, CreateProcessW, SizeofResource, GlobalFree, CreateMutexW, GetLastError, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, GetSystemInfo, FreeConsole, GetCurrentProcessId, LoadLibraryExW, Sleep, InterlockedCompareExchange, InterlockedExchange, GetTempPathW, ReadFile, CreateFileW, GetDriveTypeW, GetModuleFileNameW, GetWindowsDirectoryW, GetFileAttributesExW, MultiByteToWideChar, GetUserDefaultUILanguage, SetCurrentDirectoryW, MulDiv, GetPrivateProfileStringW, lstrcpyW, GetCurrentThreadId, FlushInstructionCache, GetModuleHandleW, GetVersion, GetVersionExW, InterlockedDecrement, TerminateThread, lstrcmpW, GlobalAlloc, GlobalLock, GlobalUnlock, SetErrorMode, lstrcmpiW, lstrlenW, OpenProcess, CreateEventW, SetEnvironmentVariableW, GetSystemDirectoryW, GetCommandLineW, ExpandEnvironmentStringsW, DeleteFileW, GetFileSize, InterlockedIncrement, RaiseException, GetStartupInfoA, ProcessIdToSessionId, GetConsoleCP, EnterCriticalSection, FreeLibrary, LeaveCriticalSection, GetProcAddress, LoadLibraryW, CloseHandle, WaitForSingleObject, GetCurrentProcess, WideCharToMultiByte, FindResourceExW, FindResourceW, LoadResource, LockResource, lstrcmpA
USER32.dll	PostMessageW, FindWindowW, SetFocus, SetWindowPos, SendMessageW, UnregisterClassA, GetParent, EnableWindow, IsWindow, ClientToScreen, CreateAcceleratorTableW, RedrawWindow, GetSysColor, GetClassNameW, GetDlgItem, GetFocus, IsChild, EndPaint, BeginPaint, GetWindowTextW, GetWindowTextLengthW, TranslateAcceleratorW, LoadAcceleratorsW, RegisterClipboardFormatW, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, InflateRect, InternalGetWindowText, OpenDesktopW, GetThreadDesktop, EnumWindows, CloseDesktop, OpenWindowStationW, MoveWindow, SetCapture, RegisterWindowMessageW, SetWindowLongW, FindWindowExW, CallWindowProcW, GetWindowLongW, GetProcessWindowStation, SetProcessWindowStation, CloseWindowStation, EnumDesktopsW, GetDC, ReleaseDC, GetMonitorInfoW, AllowSetForegroundWindow, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, SetForegroundWindow, SetActiveWindow, GetKeyboardState, keybd_event, GetWindowRect, GetDesktopWindow, LoadIconW, InvalidateRect, GetActiveWindow, WaitForInputIdle, DestroyIcon, CopyRect, DrawIconEx, SetTimer, KillTimer, ShowWindow, GetClientRect, IsDialogMessageW, IsRectEmpty, OffsetRect, IsWindowVisible, MapWindowPoints, MonitorFromWindow, GetWindow, SetWindowTextW, LoadCursorW, RegisterClassExW, GetClassInfoExW, DefWindowProcW, DestroyWindow, GetMessageW, TranslateMessage, DispatchMessageW, CreateWindowExW, DrawTextW, PtInRect, GetMessagePos, ScreenToClient, SetRectEmpty, SetRect, SetCursor, GetWindowDC, GetClassLongW, SetClassLongW, EnumWindowStationsW, CharNextW, PeekMessageW, DestroyAcceleratorTable, InvalidateRgn, LoadImageW, GetSystemMetrics, SystemParametersInfoW, LoadStringW, SendMessageTimeoutW, FillRect, ReleaseCapture
GDI32.dll	GetStockObject, GetPixel, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, CreateFontW, GetTextExtentPoint32W, SetViewportOrgEx, GetTextMetricsW, SelectObject, GetObjectW, GetObjectA, GetDeviceCaps, BitBlt, CreateSolidBrush, DeleteObject
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	RegCreateKeyExW, GetTokenInformation, OpenProcessToken, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegDeleteKeyW, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteValueW, RegQueryValueExA, RegEnumKeyExA, RegOpenKeyExA
SHELL32.dll	SHGetSpecialFolderPathW, ExtractIconExW, SHGetPathFromIDListW, ShellExecuteW, SHGetFileInfoW, SHGetDesktopFolder, SHGetFolderPathW, SHFileOperationW, SHGetSpecialFolderLocation
ole32.dll	CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CreateStreamOnHGlobal, OleLockRunning, StringFromGUID2, OleUninitialize, OleInitialize, CoCreateInstance, CoTaskMemRealloc, CoTaskMemFree, CoTaskMemAlloc, CoInitialize, CoUninitialize
OLEAUT32.dll	SysFreeString, SysAllocString, VariantClear, SafeArrayGetVartype, SafeArrayCopy, VariantCopy, VariantInit, SafeArrayGetLBound, SafeArrayGetUBound, SysAllocStringLen, LoadTypeLib, LoadRegTypeLib, SysStringLen, OleCreateFontIndirect, VarUI4FromStr, VarBstrCmp, SafeArrayUnlock, SafeArrayLock, SafeArrayDestroy, SafeArrayCreate, DispCallFunc
SHLWAPI.dll	PathCompactPathW, StrCmpNIW, PathIsDirectoryW, StrStrIW, PathRemoveFileSpecW, PathFileExistsW, PathAppendW, SHGetValueW, PathCombineW, StrCmpIW, PathFindExtensionW, StrCmpNW, StrChrW, PathMatchSpecW, PathIsFileSpecW, PathIsRootW, wnsprintfW, SHGetValueA, PathIsRelativeW, SHSetValueW, ColorHLSToRGB, ColorRGBToHLS, PathFindFileNameW, SHSetValueA
COMCTL32.dll	InitCommonControlsEx
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
gdiplus.dll	GdipSetPathGradientCenterColor, GdipCreatePathGradientFromPath, GdipSetPathGradientSurroundColorsWithCount, GdipGetPathGradientPointCount, GdipAddPathEllipseI, GdipDrawLine, GdipDrawImageRectRectI, GdipNewPrivateFontCollection, GdipDeletePrivateFontCollection, GdipCreateFromHWND, GdipGetFontHeight, GdipResetClip, GdipPrivateAddMemoryFont, GdipTranslateWorldTransform, GdipAddPathPie, GdipSetPathGradientCenterPoint, GdipSetInterpolationMode, GdipSaveImageToFile, GdipGetImageEncoders, GdipAddPathLine, GdipSetClipRectI, GdipSetTextRenderingHint, GdipCreateBitmapFromFile, GdipGetImageEncodersSize, GdipSetPathGradientGammaCorrection, GdipGetPathWorldBoundsI, GdipAddPathLine2, GdipCreateBitmapFromStream, GdipAddPathArc, GdipGetFontCollectionFamilyList, GdipCloneFontFamily, GdipDeleteFontFamily, GdipSetLinePresetBlend, GdipCreatePen2, GdipDrawRectangleI, GdipCreateLineBrushFromRect, GdipAddPathRectangleI, GdipGetPixelOffsetMode, GdipSetPenWidth, GdipDrawEllipseI, GdipSetPenDashOffset, GdipAddPathLineI, GdipSetPixelOffsetMode, GdipDrawImageRectI, GdipGetImageGraphicsContext, GdipGetImagePixelFormat, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromScan0, GdipBitmapSetPixel, GdipBitmapGetPixel, GdipGetImageHeight, GdipGetImageWidth, GdipDrawPath, GdipFillPath, GdipGetSmoothingMode, GdipDeletePath, GdipCreatePath, GdipFillRectangleI, GdipCreateLineBrushFromRectI, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipDrawString, GdipCloneBrush, GdipAlloc, GdipFree, GdipDeleteBrush, GdipCreateSolidFill, GdipFillRectangle, GdipMeasureString, GdipSetStringFormatAlign, GdipSetStringFormatLineAlign, GdipDeleteStringFormat, GdipCreateStringFormat, GdipDeleteFont, GdipCreateFontFromLogfontA, GdipCreateFontFromDC, GdipDrawRectangle, GdipDrawLineI, GdipSetPenDashStyle, GdipDeletePen, GdipCreatePen1, GdipDeleteGraphics, GdipCreateFromHDC, GdipDrawImagePointRectI, GdipResetWorldTransform, GdipCreateFont, GdipRotateWorldTransform, GdipSetSmoothingMode
IMM32.dll	ImmDisableIME
RPCRT4.dll	RpcStringFreeW, RpcAsyncCompleteCall, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcAsyncInitializeHandle, RpcBindingFree, NdrAsyncClientCall
WINTRUST.dll	WTHelperProvDataFromStateData, WinVerifyTrust
CRYPT32.dll	CertGetNameStringW
WTSAPI32.dll	WTSQuerySessionInformationW
USERENV.dll	GetUserProfileDirectoryW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan
Portuguese	Brazil
Turkish	Turkey
Chinese	China

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cr0wdik.exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
cr0wdik.exe