Edit tour

Windows Analysis Report
URGENT ORDER.exe

Overview

General Information

Sample name:	URGENT ORDER.exe
Analysis ID:	1432051
MD5:	4498a75f6f27e3e03a0b14ba933c0a06
SHA1:	259d54f92d825925cf87c9057d5d0c47a0c50bfb
SHA256:	270da7ba03177d793879ddc0272e94a0003e9327298879463693f7b78f199e28
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries Google from non browser process on port 80

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

URGENT ORDER.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\URGENT ORDER.exe" MD5: 4498A75F6F27E3E03A0B14BA933C0A06)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: URGENT ORDER.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: URGENT ORDER.exe

ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: URGENT ORDER.exe

Joe Sandbox ML: detected

Source: URGENT ORDER.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Queries Google from non browser process on port 80

Source: C:\Users\user\Desktop\URGENT ORDER.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\Desktop\URGENT ORDER.exe	HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: URGENT ORDER.exe	String found in binary or memory: http://www.google.com
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj0
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/t
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comd
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: URGENT ORDER.exe

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Code function: 0_2_01546D58	0_2_01546D58
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Code function: 0_2_01544D00	0_2_01544D00
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Code function: 0_2_0154A8D0	0_2_0154A8D0
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Code function: 0_2_01547C38	0_2_01547C38

Source: URGENT ORDER.exe, 00000000.00000002.2109013393.00000000015FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs URGENT ORDER.exe

Source: classification engine

Classification label: mal76.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\URGENT ORDER.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT ORDER.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Mutant created: NULL

Source: URGENT ORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: URGENT ORDER.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: URGENT ORDER.exe

ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: URGENT ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: URGENT ORDER.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: URGENT ORDER.exe, Jm1s.cs

.Net Code: NewLateBinding.LateCall(objectValue3, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: URGENT ORDER.exe, Jm1s.cs

.Net Code: r2GY System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Code function: 0_2_015462C8 push esp; ret

0_2_015462D1

Source: URGENT ORDER.exe, Gb7.cs

High entropy of concatenated method names: 'Ri', 'o7', 'q9', 'n6', 'a0', 'g6', 'Gy', 'Ki', 'By', 'Na'

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Window / User API: threadDelayed 368

Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6484	Thread sleep count: 368 > 30	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 380	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 5876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: URGENT ORDER.exe, 00000000.00000002.2109013393.0000000001680000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Code function: 0_2_01544528 LdrInitializeThunk,

0_2_01544528

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe	Queries volume information: C:\Users\user\Desktop\URGENT ORDER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\URGENT ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
URGENT ORDER.exe	42%	ReversingLabs	Win32.Trojan.CrypterX
URGENT ORDER.exe	100%	Avira	HEUR/AGEN.1306374
URGENT ORDER.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://csp.withgoogle.com/csp/gws/other-hp	0%	URL Reputation	safe
http://www.google.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.217.196	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com	URGENT ORDER.exe	false		high
http://www.google.com/t	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.comd	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/gws/other-hp	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/api.js	URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.217.196	www.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432051
Start date and time:	2024-04-26 11:08:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	URGENT ORDER.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@1/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 7 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:09:07	API Interceptor	4x Sleep call for process: URGENT ORDER.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT ORDER.exe.log

Download File

Process:	C:\Users\user\Desktop\URGENT ORDER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	5.352137456245207
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzeR
MD5:	6528E95543E9D6B5CB09943FFE83FE57
SHA1:	2D4155B775F71A7A563B84AFE229B2ABC9FA9970
SHA-256:	B7CC26CEFD40680D7C4C86322C32B484F9A888FFB3F540A5641841CA2AC4FE37
SHA-512:	15A91B7318C816AB8C5B97DD9383200796BD08EE8229B1027FB88539C034BB6B77B202AF952D598BA4E6778489CBC80ED7BC0B04CA294FCC7A1351C7F7CCAC2A
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.265733484903767
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	URGENT ORDER.exe
File size:	810'496 bytes
MD5:	4498a75f6f27e3e03a0b14ba933c0a06
SHA1:	259d54f92d825925cf87c9057d5d0c47a0c50bfb
SHA256:	270da7ba03177d793879ddc0272e94a0003e9327298879463693f7b78f199e28
SHA512:	16270ddb916f438bac3c54112ee908ac0ce2c0acf7dc0533f02e6dc49c33a8fb33272aed3e39ce11dbe420fec9ecf577752ed4bd6a203a33630f013ff912fbbf
SSDEEP:	12288:PXc87X+bXPXST4Fof1XUhRtK+CVIN2X9yKBg7vj3pz17:PXcH/X4ypoig9yKe/5z17
TLSH:	4A056CEB07A6B905F6BF2BB45762D294977468C73D41E54840838385AB3F3C2BE811E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..%.........."...P..V...........s... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c73fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x25140376 [Sun Sep 17 20:49:58 1989 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc73a8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x324	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5404	0xc5600	7f9b5f6a4c7b48a20a68bc32152202c4	False	0.5299400827264091	data	6.273449204021412	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x324	0x400	68c1051d8777cdf5e4a01b7da21cf705	False	0.3505859375	data	2.5970102334330645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	91f50c1345a8d1af0aa4a2d995d0947d	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc8058	0x2cc	data			0.45251396648044695

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:09:07.191756964 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:07.375911951 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:07.376034975 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:07.376905918 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:07.560718060 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:07.848700047 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:07.848737955 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:07.848858118 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:07.853183985 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:08.037781954 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:08.049961090 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:08.050003052 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:08.050017118 CEST	80	49704	142.250.217.196	192.168.2.5
Apr 26, 2024 11:09:08.050147057 CEST	49704	80	192.168.2.5	142.250.217.196
Apr 26, 2024 11:09:08.087634087 CEST	49704	80	192.168.2.5	142.250.217.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:09:07.058430910 CEST	49526	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:09:07.184510946 CEST	53	49526	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 11:09:07.058430910 CEST	192.168.2.5	1.1.1.1	0x2f1c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 11:09:07.184510946 CEST	1.1.1.1	192.168.2.5	0x2f1c	No error (0)	www.google.com		142.250.217.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	142.250.217.196	80	5040	C:\Users\user\Desktop\URGENT ORDER.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:09:07.376905918 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Apr 26, 2024 11:09:07.848700047 CEST	1289	IN	HTTP/1.1 302 Found Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIs96tsQYQpfDW4gISBGaBmNw Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-rtlTEG7THXIrhsrVQXkOpA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 09:09:07 GMT Server: gws Content-Length: 396 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-09; expires=Sun, 26-May-2024 09:09:07 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=AQTF6HwKPAnAYxiLDlK8oJghc41YoLMpfiw0INl1Bny6GQmdC-oXXXcqYx4; expires=Wed, 23-Oct-2024 09:09:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=513=k_NwioEyMjHW03lQsPoPoaZWwtEi1SY50ga_oMx4IH54vRNySWw1Rxze3e9C9RFzrOp6VMeXRs5mjxAHQ2akpe2tEzBYKhgNkpyO3Y_MifuuR6tgZ6g0-ZmYEKKPvGo9SojxH_ybHlB5eJJvft17lVfThvZ7RoD0T95WMd3cL0Y; expires=Sat, 26-Oct-2024 09:09:07 GMT; path=/; domain= Data Raw: Data Ascii:
Apr 26, 2024 11:09:07.848737955 CEST	420	IN	Data Raw: 67 6f 6f 67 6c 65 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f Data Ascii: google.com; HttpOnly<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://w
Apr 26, 2024 11:09:07.853183985 CEST	213	OUT	GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com
Apr 26, 2024 11:09:08.049961090 CEST	1289	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 09:09:07 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3054 X-XSS-Protection: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 20 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 63 6f 6e 74 61 69 6e 3b 22 20 6f 6e 6c 6f 61 64 3d 22 65 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 27 29 3b 69 66 28 65 29 7b 65 2e 66 6f 63 75 73 28 29 3b 7d 20 69 66 28 73 6f 6c 76 65 53 69 6d 70 6c 65 43 68 61 6c 6c 65 6e 67 65 29 20 7b 73 6f 6c 76 65 53 69 6d 70 6c 65 43 68 61 6c 6c 65 6e 67 65 28 2c 29 3b 7d 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 78 2d 77 69 64 74 68 3a 34 30 30 70 78 3b 22 3e 0a 3c 68 72 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 63 63 63 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 22 3e 3c 62 72 3e 0a 3c 66 6f 72 6d 20 69 64 3d 22 63 61 70 74 63 68 61 2d 66 6f 72 6d 22 20 61 63 74 69 6f 6e 3d 22 69 6e 64 65 78 22 20 6d 65 74 68 6f 64 3d 22 70 6f 73 74 22 3e 0a 3c 6e 6f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 22 3e 0a 20 20 49 6e 20 6f 72 64 65 72 20 74 6f 20 63 6f 6e 74 69 6e 75 65 2c 20 70 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 6a 61 76 61 73 63 72 69 70 74 20 6f 6e 20 79 6f 75 72 20 77 65 62 20 62 72 6f 77 73 65 72 2e 0a 3c 2f 64 69 76 3e 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 61 70 69 2e 6a 73 22 20 61 73 79 6e 63 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
Apr 26, 2024 11:09:08.050003052 CEST	1289	IN	Data Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="UWUHtrzoXqalho1sCG-vDHilPNbUYCe5VXV8pDNp2TgfiKodvDPzz9rLum8e87xmRj9bORdBX0C2zqB_biQpGSXALUOW-c2Fu1Zl5YolLI3Eu3X3M3A-dsi3_kYoGnOG7EcqEy1wMZLXeChgGsyVRy9
Apr 26, 2024 11:09:08.050017118 CEST	756	IN	Data Raw: 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e 67 20 74 68 65 20 61 62 6f 76 65 Data Ascii: will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a script that sends autom

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: URGENT ORDER.exePID: 5040, Parent PID: 1028

General

Target ID:	0
Start time:	11:09:06
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\URGENT ORDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\URGENT ORDER.exe"
Imagebase:	0xfd0000
File size:	810'496 bytes
MD5 hash:	4498A75F6F27E3E03A0B14BA933C0A06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: URGENT ORDER.exePID: 5040, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 01546D58 Relevance: 11.2, Strings: 8, Instructions: 1213COMMON

Download Yara Rule

Strings

,wq, xrefs: 01546E38
Hwq, xrefs: 01547426
,wq, xrefs: 0154790A
,wq, xrefs: 01547918
(osq, xrefs: 015478A0
(osq, xrefs: 01547892
(osq, xrefs: 0154755A
,wq, xrefs: 01546E2E

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$,wq$,wq$,wq$,wq$Hwq
API String ID: 0-4109031305
Opcode ID: 50e1bbd8b683b0937ee4e86c710dcccad99b55e3b8ff87863115a7830e58cd37
Instruction ID: e3aa92fc81a70820f68a4b157fdedf8d8c5cd16cd270c8fa18cbc24dccd7d234
Opcode Fuzzy Hash: 50e1bbd8b683b0937ee4e86c710dcccad99b55e3b8ff87863115a7830e58cd37
Instruction Fuzzy Hash: 61A28D70A002099FDB15CFA9C884AAEBBF6FF89314F258469E915DB365DB30DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01544D00 Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8wq, xrefs: 01544DAA
8wq, xrefs: 01544D9A

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID:
String ID: 8wq$8wq
API String ID: 0-2650277074
Opcode ID: 3ec78c6abd68afd8e2f80bc7b105c47057a39439a5725b7d461940a7a487c241
Instruction ID: 3d3b8864f92fd95e8d5e392b46520882785acb5763ca6c5d0ae6754c2c438dde
Opcode Fuzzy Hash: 3ec78c6abd68afd8e2f80bc7b105c47057a39439a5725b7d461940a7a487c241
Instruction Fuzzy Hash: 97E1B074E05228CFDB65DFA9C844BDDBBF2BF89304F1081AAD509AB251EB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01544528 Relevance: 1.6, APIs: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015445E4

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea764ca9c0f1795c32ac908e551c0dc78a0afabd9d4867e49d2c9eb0e4a9bf2b
Instruction ID: c3c30c57870aa7cf51759c14ee3168ee8f3fc0bd0b460525edc95967d7622adf
Opcode Fuzzy Hash: ea764ca9c0f1795c32ac908e551c0dc78a0afabd9d4867e49d2c9eb0e4a9bf2b
Instruction Fuzzy Hash: 75212974D012088BDF04DFAAD5087EEFBF5BB89314F149029D411B7294DB388A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01544518 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015445E4

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d86ba41ca79b0946a1bf6017516f40b2f80e39a6ac9875df39b0368de626b1e3
Instruction ID: 5b0ae50387b345b7c619b19732e77a933ec061e84ba5ee9dd95ca7fe84e69ff2
Opcode Fuzzy Hash: d86ba41ca79b0946a1bf6017516f40b2f80e39a6ac9875df39b0368de626b1e3
Instruction Fuzzy Hash: 69115B74E412088BEB08CFAAD5153EEFBF6BF89324F14942AD40567294DB354A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01544618 Relevance: 1.5, APIs: 1, Instructions: 25
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015445E4

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ff99a022531283c6a41044297c9b2f37a1fbfedfe0e4429b589e97eafdf9d46
Instruction ID: 2592f6fcea19780de05b39dd0ea04a4a9ec7ecd614acffcd71ecb63535d2b8f1
Opcode Fuzzy Hash: 9ff99a022531283c6a41044297c9b2f37a1fbfedfe0e4429b589e97eafdf9d46
Instruction Fuzzy Hash: 0AE02661E4D290CBCB108BB48C051B43F74FA4710A70018D9D145CF421EA24C21BD760

Uniqueness

Uniqueness Score: -1.00%

Function 014ED5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2108210438.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_URGENT ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2233fb87b1bc7c4b708419ffec244899d67fb390df3107fa39990c164035e66c
Instruction ID: 1d31e683bc64e525e068b18b2d9c7bd301d69b9fe349d2f76b9a35eac14159fa
Opcode Fuzzy Hash: 2233fb87b1bc7c4b708419ffec244899d67fb390df3107fa39990c164035e66c
Instruction Fuzzy Hash: 3D2133B1904200DFCB05DF68C9C8B27BFA5FB84315F20856AE90E0B266C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2108210438.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_URGENT ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: d0a4c40215734b2c96aba16df5ffbcd61633950bc1351140184ea7198c8596f6
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 8C11DF76804240CFCB12CF54D9C4B16BFA2FB84314F2486AAD8090B266C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01547C38 Relevance: 12.2, Strings: 9, Instructions: 979COMMON

Download Yara Rule

Strings

(osq, xrefs: 015481F1
(osq, xrefs: 01547E05
(osq, xrefs: 01547EA2
(osq, xrefs: 01548201
(osq, xrefs: 01547D1E
(osq, xrefs: 01547DD9
,wq, xrefs: 01548192
(osq, xrefs: 015482B1
,wq, xrefs: 01548182

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1234722368
Opcode ID: caae51796f70e03c81cd2a41b21588dc7c5e3d4488d6a51f9f800176b3bb6271
Instruction ID: f1020b2404674e95b427d8e717dbf9d605677f9618c887d0ee7a361c669a3ee6
Opcode Fuzzy Hash: caae51796f70e03c81cd2a41b21588dc7c5e3d4488d6a51f9f800176b3bb6271
Instruction Fuzzy Hash: F0924B30A00209DFDB15CFA8D984AAEBBF2FF88318F158959E5559B3A1DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0154A8D0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2108389234.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_URGENT ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041cdd2c9d4f1b4d1b9101d5db103daa4e7a2968f441cb42b9778579e7ca303f
Instruction ID: 33e98ea7e848a1e725bee3647aa39e1ce66c2fa1b073d9fb99b902f43816a02d
Opcode Fuzzy Hash: 041cdd2c9d4f1b4d1b9101d5db103daa4e7a2968f441cb42b9778579e7ca303f
Instruction Fuzzy Hash: 19D1B574E013199FDB54DFAAC954B9DBBF2BF89300F2481AAE509AB354DB305A81CF50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report URGENT ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT ORDER.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
URGENT ORDER.exe

Function 01544D00 Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Function 01544528 Relevance: 1.6, APIs: 1, Instructions: 69
libraryCOMMON

Function 01544518 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 01544618 Relevance: 1.5, APIs: 1, Instructions: 25
libraryCOMMON

Function 014ED5B8 Relevance: .1, Instructions: 75
COMMON