Windows Analysis Report
File-11F_385347.exe

Overview

General Information

Sample name:	File-11F_385347.exe
Analysis ID:	1432286
MD5:	08ea1813d6b205c446e6ae655c4e6715
SHA1:	76f4d2af1c04ec157fc8a270da5980ee6bcb5def
SHA256:	12288224d26607b30d026a32faf2ac7b49fc32acc8950eeaf60b933f2e39f48f
Tags:	Artemisexe
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Perma Link

Cryptography

Source: File-11F_385347.exe, 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5626c899-d

Compliance

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: File-11F_385347.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112

Source: global traffic	HTTP traffic detected: GET /9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424 HTTP/1.1Host: contentworldinc.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: contentworldinc.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: File-11F_385347.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: MPC-HC.1.9.13.x86.exe.0.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: File-11F_385347.exe, 00000000.00000003.1873509339.0000000001507000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000002.1875482614.000000000152C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: File-11F_385347.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_00AB1380

0_2_00AB1380

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@15/3@3/5

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC

Jump to behavior

Source: File-11F_385347.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Source: File-11F_385347.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: C:\Users\user\Desktop\File-11F_385347.exe

File read: C:\Users\user\Desktop\File-11F_385347.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\File-11F_385347.exe "C:\Users\user\Desktop\File-11F_385347.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: File-11F_385347.exe

Static PE information: certificate valid

Source: File-11F_385347.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: File-11F_385347.exe

Static file information: File size 23731296 > 1048576

Source: File-11F_385347.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6afe00

Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: File-11F_385347.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CB853 push ecx; ret

0_2_010CB866

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\File-11F_385347.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: File-11F_385347.exe, 00000000.00000003.1708572666.000000000152C000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000003.1708752786.000000000152D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\File-11F_385347.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_011223FD

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_0113553C mov eax, dword ptr fs:[00000030h]	0_2_0113553C
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_01126779 mov ecx, dword ptr fs:[00000030h]	0_2_01126779
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011354F8 mov eax, dword ptr fs:[00000030h]	0_2_011354F8

Enables debug privileges

Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_010CB057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_010CB057
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_011223FD

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CC06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_010CC06B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.164	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.26.5.9	contentworldinc.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name	IP	Active
contentworldinc.com	104.26.5.9	true
www.google.com	142.250.217.164	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Perma Link

Cryptography

Source: File-11F_385347.exe, 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5626c899-d

Compliance

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: File-11F_385347.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112

Source: global traffic	HTTP traffic detected: GET /9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424 HTTP/1.1Host: contentworldinc.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: contentworldinc.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: File-11F_385347.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: MPC-HC.1.9.13.x86.exe.0.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: File-11F_385347.exe, 00000000.00000003.1873509339.0000000001507000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000002.1875482614.000000000152C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: File-11F_385347.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_00AB1380

0_2_00AB1380

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@15/3@3/5

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC

Jump to behavior

Source: File-11F_385347.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Source: File-11F_385347.exe

Source: C:\Users\user\Desktop\File-11F_385347.exe

File read: C:\Users\user\Desktop\File-11F_385347.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\File-11F_385347.exe "C:\Users\user\Desktop\File-11F_385347.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: File-11F_385347.exe

Static PE information: certificate valid

Source: File-11F_385347.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: File-11F_385347.exe

Static file information: File size 23731296 > 1048576

Source: File-11F_385347.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6afe00

Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: File-11F_385347.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CB853 push ecx; ret

0_2_010CB866

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\File-11F_385347.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: File-11F_385347.exe, 00000000.00000003.1708572666.000000000152C000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000003.1708752786.000000000152D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\File-11F_385347.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_011223FD

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_0113553C mov eax, dword ptr fs:[00000030h]	0_2_0113553C
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_01126779 mov ecx, dword ptr fs:[00000030h]	0_2_01126779
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011354F8 mov eax, dword ptr fs:[00000030h]	0_2_011354F8

Enables debug privileges

Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_010CB057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_010CB057
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_011223FD

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CC06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_010CC06B

ID:	1432286
Product:	CloudBasic
Start time:	19:26:11
Start date:	26.04.2024
Sample:	File-11F_385347.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	08ea1813d6b205c446e6ae655c4e6715
SHA1:	76f4d2af1c04ec157fc8a270da5980ee6bcb5def
SHA256:	12288224d26607b30d026a32faf2ac7b49fc32acc8950eeaf60b933f2e39f48f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe	PE32 executable (GUI) Intel 80386, for MS Windows	08A6FBB57D5B456414B71B260F749C9E	4F9ED2014C8E01C07ED922681A7D3A666CA0940D	37037553E81DE20E2D0869388D4AAEEEC8D807EA0447DC4C822FE9C4A6FADA1F
Chrome Cache Entry: 39	ASCII text, with very long lines (745)	FAD0A0F879371633AAC0778F553F96D8	2F29A3F84142CAB6A544ADCC4AD9BFB9327924AF	39ABB2F7967F9BF2B7C5E2071C5AC3AE20E8B0E9D87D333DE5E2C94AB6DE386D

Windows Analysis Report File-11F_385347.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
File-11F_385347.exe