Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
Analysis ID:1437895
MD5:ff6d984a5cd4f15041dae1a58de7cd5c
SHA1:ccf361f309d5197a4657843bf1d5270d8e5dd143
SHA256:1f36105fbca8245e77816446dac72f48a87dba68aa89c323ec655010764d0f2c
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe" MD5: FF6D984A5CD4F15041DAE1A58DE7CD5C)
    • conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeReversingLabs: Detection: 23%
        Machine Learning detection for sample
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeJoe Sandbox ML: detected

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024, type: MEMORYSTR
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 4x nop then jmp 00007FF848F322DFh0_2_00007FF848F319A9
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 4x nop then jmp 00007FF848F346FCh0_2_00007FF848F344F5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F35AB00_2_00007FF848F35AB0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F3C9240_2_00007FF848F3C924
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F3AB680_2_00007FF848F3AB68
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F465B80_2_00007FF848F465B8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F3D0E90_2_00007FF848F3D0E9
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F306200_2_00007FF848F30620
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: No import functions for PE file found
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000000.1968356454.0000014285422000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameasia.exe* vs SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeBinary or memory string: OriginalFilenameasia.exe* vs SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
        Source: classification engineClassification label: mal76.expl.evad.winEXE@2/0@0/0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeReversingLabs: Detection: 23%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeStatic PE information: 0xFAFBEEAE [Sat Jun 9 06:43:58 2103 UTC]
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF848F3FC16 pushfd ; retf 0_2_00007FF848F3FC29
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeCode function: 0_2_00007FF84900026B push esp; retf 4810h0_2_00007FF849000312
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeMemory allocated: 14286F10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeMemory allocated: 1429F160000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeWindow / User API: threadDelayed 5441Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeWindow / User API: threadDelayed 4539Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 4040Thread sleep count: 5441 > 30Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 4040Thread sleep time: -5441000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 5960Thread sleep count: 4539 > 30Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 5960Thread sleep time: -4539000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II

        Anti Debugging

        barindex
        Found potential dummy code loops (likely to delay analysis)
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeProcess Stats: CPU usage > 42% for more than 60s
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		121
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory21
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Process Injection        		Security Account Manager121
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Timestomp        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets13
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
        Obfuscated Files or Information        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe24%ReversingLabsWin64.Trojan.Generic
        SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1437895
        Start date and time:2024-05-08 01:26:06 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 8s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:5
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
        Detection:MAL
        Classification:mal76.expl.evad.winEXE@2/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 90%
        • Number of executed functions: 13
        • Number of non-executed functions: 2
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Override analysis time to 240s for sample files taking high CPU consumption

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        01:27:27API Interceptor2187220x Sleep call for process: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
        Entropy (8bit):7.988801183818626
        TrID:
        • Win64 Executable Console Net Framework (206006/5) 48.58%
        • Win64 Executable Console (202006/5) 47.64%
        • Win64 Executable (generic) (12005/4) 2.83%
        • Generic Win/DOS Executable (2004/3) 0.47%
        • DOS Executable Generic (2002/1) 0.47%
        File name:SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
        File size:677'292 bytes
        MD5:ff6d984a5cd4f15041dae1a58de7cd5c
        SHA1:ccf361f309d5197a4657843bf1d5270d8e5dd143
        SHA256:1f36105fbca8245e77816446dac72f48a87dba68aa89c323ec655010764d0f2c
        SHA512:bfc051d1c0e13f716688b915fa200d7f1ceba9bd71978a10b371d8c82de34e75a154ae6c68036c8f46405a24117521cf51f09297ae9d0a18d2fe5e124e76a0ad
        SSDEEP:12288:EVLZ8vTEKaoFAp9Te6H6Hikn5UDW+W1a4Y2IwB8S8/p/k:2KvTfFS9a6HEbDf843FR
        TLSH:C9E42324D72CA627C4CD6EB855F3328154A08FE4FAA7DE690C73B35D692168942039EF
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.2X............... ....@...... ....................................`................................

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x400000
        Entrypoint Section:
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0xFAFBEEAE [Sat Jun 9 06:43:58 2103 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:

        Entrypoint Preview

        Instruction
        dec ebp
        pop edx
        nop
        add byte ptr [ebx], al
        add byte ptr [eax], al
        add byte ptr [eax+eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x586.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x78160x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x58320x5a001543f4dc292d6162a3c0cb5f5ed91862False0.49114583333333334data5.810366886484263IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x80000x5860x600e102b6547816a9e3349867be4f214655False0.4114583333333333data3.988456408462974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_VERSION0x80a00x2fcdata0.43455497382198954
        RT_MANIFEST0x839c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:01:26:50
        Start date:08/05/2024
        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe"
        Imagebase:0x14285420000
        File size:677'292 bytes
        MD5 hash:FF6D984A5CD4F15041DAE1A58DE7CD5C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        Reputation:low
        Has exited:false

        General

        Target ID:1
        Start time:01:26:50
        Start date:08/05/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6d64d0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:14%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:12
          Total number of Limit Nodes:0
          execution_graph 10100 7ff848f304ba 10101 7ff848f30a30 FreeConsole 10100->10101 10103 7ff848f30ae1 10101->10103 10104 7ff848f3433a 10105 7ff848f34349 10104->10105 10108 7ff848f33730 10105->10108 10107 7ff848f343ff 10109 7ff848f33739 VirtualProtect 10108->10109 10111 7ff848f34908 10109->10111 10111->10107 10096 7ff848f347a6 10097 7ff848f347d1 VirtualProtect 10096->10097 10099 7ff848f34908 10097->10099

          Executed Functions

          Function 00007FF848F35AB0 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
          Download Yara Rule

          Control-flow Graph

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID: @bH$fish
          • API String ID: 0-173818613
          • Opcode ID: a0f8bcb75de07877a65a8e8f0dad1a57ae04d803d1779c53f795e0e2fee3a8da
          • Instruction ID: 567a90d7c0d5f9910c3d681943ee60d7c290fd0df18023544587900c8990e92f
          • Opcode Fuzzy Hash: a0f8bcb75de07877a65a8e8f0dad1a57ae04d803d1779c53f795e0e2fee3a8da
          • Instruction Fuzzy Hash: AD91D571A1CA0A5FE75CFB2898555BAB3D1FF99351F00053FE44BC32D2EE28B8428685
          Function 00007FF848F3AB68 Relevance: .9, Instructions: 932COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 597c6fb1d7f2f26993abfa5ed5ae136d297856145df6487a18072d2ccf5da7ef
          • Instruction ID: 21acf74efdef704e79ada6111932cd11433a7e066d60ca8dfcd23636f4f1c0cf
          • Opcode Fuzzy Hash: 597c6fb1d7f2f26993abfa5ed5ae136d297856145df6487a18072d2ccf5da7ef
          • Instruction Fuzzy Hash: 1352B430A1CA098FDBA8EB28D45567977E1FF59341F1401BEE48EC76D2DF24AC428B85
          Function 00007FF848F3C924 Relevance: .7, Instructions: 735COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 311fdbf366e5b83e09f198b02f282b53623544eb2d4d8da77cf6c0254a0563cf
          • Instruction ID: 6e2f339191a69a39e0f0653a77dd17c5984f360a04163c27f7a3de95dd576a40
          • Opcode Fuzzy Hash: 311fdbf366e5b83e09f198b02f282b53623544eb2d4d8da77cf6c0254a0563cf
          • Instruction Fuzzy Hash: F722A831A0CA8A4FE359EB2884510B5B7E1FF85341F0445BFD48AC72E6EF29E952C385
          Function 00007FF848F3D0E9 Relevance: .5, Instructions: 523COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: aee6a82ff1cac650654389b8279f3954dba3accbf556c45b4274539563223a81
          • Instruction ID: 0697e29d1b773743f33a9d167f0d8a8fe144bee4080e86b6c248b95cc4aba83e
          • Opcode Fuzzy Hash: aee6a82ff1cac650654389b8279f3954dba3accbf556c45b4274539563223a81
          • Instruction Fuzzy Hash: 86F1523190CB864FE359EB2884911B1B7E2FF95341F1446BFE48AC72E5DB28A846C785
          Function 00007FF848F319A9 Relevance: .2, Instructions: 188COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b4cc8b37e5f1427c53eb15bf4045c0e8da95199294e84ae87e0197611d92848d
          • Instruction ID: 229e82e95807b6388a98de62eb48c289171e1e4b45fd2e9e0c3c5bb9fcbf9220
          • Opcode Fuzzy Hash: b4cc8b37e5f1427c53eb15bf4045c0e8da95199294e84ae87e0197611d92848d
          • Instruction Fuzzy Hash: 6461EC30A46A1ACFEBA4EB24D8557ACB372EF59341F5145BAD40D93395CE3AAD81CB00
          Function 00007FF848F465B8 Relevance: .2, Instructions: 167COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bc6aa092697a7b150a159d0bcdc98f9dd0ebc18e61acc341013800516dafa7c8
          • Instruction ID: e46c21549f0f1d4ab3d4f25e9fe6c7ade02db0d974b8152127cbceeece3f9373
          • Opcode Fuzzy Hash: bc6aa092697a7b150a159d0bcdc98f9dd0ebc18e61acc341013800516dafa7c8
          • Instruction Fuzzy Hash: A3415B3260D74D0FD31E9B3898151B57BD5EB92320F1582BFD08BC71E7DD2898468795
          Function 00007FF84900026B Relevance: 2.3, Strings: 1, Instructions: 1032COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 57 7ff84900026b-7ff84900026d 58 7ff8490003b1-7ff8490003b7 57->58 59 7ff84900026e-7ff84900027c 57->59 64 7ff8490003b9-7ff8490003c8 58->64 61 7ff849000284-7ff849000286 59->61 62 7ff8490002f7-7ff849000306 61->62 63 7ff849000288-7ff849000289 61->63 67 7ff849000307-7ff849000309 62->67 65 7ff84900024f-7ff849000255 63->65 66 7ff84900028b 63->66 68 7ff8490003c9-7ff849000427 64->68 70 7ff849000257-7ff84900026a 65->70 71 7ff84900029f-7ff8490002a0 65->71 66->67 69 7ff84900028d 66->69 67->58 72 7ff84900030a-7ff849000348 67->72 86 7ff84900045c-7ff849000474 68->86 87 7ff849000429-7ff849000440 68->87 75 7ff8490002d4 69->75 76 7ff84900028f-7ff84900029d 69->76 70->57 77 7ff849000234-7ff84900023b 71->77 78 7ff8490002a2-7ff8490002b8 71->78 72->64 96 7ff84900034a-7ff84900034d 72->96 75->58 84 7ff8490002da-7ff8490002f5 75->84 76->71 77->58 83 7ff849000241-7ff84900024e 77->83 78->58 82 7ff8490002be-7ff8490002d1 78->82 82->75 83->65 84->62 90 7ff849000442-7ff84900045a 87->90 91 7ff8490004b1-7ff8490004d0 87->91 90->86 95 7ff8490004d1-7ff8490004e7 90->95 91->95 103 7ff84900051c-7ff84900051f 95->103 104 7ff8490004e9-7ff8490004fb 95->104 96->68 99 7ff84900034f 96->99 101 7ff849000396-7ff8490003b0 99->101 102 7ff849000351-7ff84900035f 99->102 102->101 105 7ff849000521-7ff849000534 103->105 104->105 107 7ff8490004fd-7ff849000500 104->107 110 7ff849000502-7ff84900051a 107->110 111 7ff849000571-7ff849000590 107->111 110->103 112 7ff849000597-7ff8490005a7 111->112 113 7ff849000592-7ff849000595 111->113 117 7ff8490005dc-7ff8490005e0 112->117 118 7ff8490005a9-7ff8490005bb 112->118 113->112 119 7ff8490005e1-7ff8490005f4 117->119 118->119 120 7ff8490005bd-7ff8490005c0 118->120 121 7ff8490005c2-7ff8490005da 120->121 122 7ff849000631-7ff84900067a 120->122 121->117 129 7ff84900067c-7ff84900067e 122->129 130 7ff8490006eb-7ff8490006f0 122->130 131 7ff849000680 129->131 132 7ff8490006fa-7ff84900073c 129->132 133 7ff8490006f2-7ff8490006f9 130->133 134 7ff849000691 130->134 137 7ff8490006c6-7ff8490006c7 131->137 138 7ff849000682-7ff849000690 131->138 144 7ff849000786-7ff84900078b 132->144 145 7ff84900073e-7ff849000772 132->145 133->132 136 7ff849000692-7ff8490006a8 134->136 142 7ff8490006bc-7ff8490006c5 136->142 143 7ff8490006aa-7ff8490006b9 136->143 138->136 142->137 143->142 147 7ff849000a42-7ff849000a56 144->147 149 7ff84900078c-7ff84900079e 144->149 145->147 148 7ff849000778-7ff849000783 145->148 157 7ff849000a57-7ff849000ab7 147->157 150 7ff849000784-7ff849000785 148->150 151 7ff84900079f-7ff8490007a3 149->151 150->144 152 7ff8490007a6-7ff8490007bd 151->152 153 7ff8490007a5 151->153 152->147 160 7ff8490007c3-7ff8490007d6 152->160 153->152 155 7ff8490007ef-7ff8490007f0 153->155 155->150 159 7ff8490007f2-7ff849000808 155->159 166 7ff849000aec-7ff849000aef 157->166 167 7ff849000ab9-7ff849000acb 157->167 159->147 162 7ff84900080e-7ff849000821 159->162 169 7ff849000847-7ff849000856 160->169 170 7ff8490007d8-7ff8490007d9 160->170 164 7ff849000824 162->164 164->147 168 7ff84900082a-7ff849000845 164->168 172 7ff849000af1-7ff849000b04 166->172 167->172 173 7ff849000acd-7ff849000ad0 167->173 168->169 175 7ff849000857-7ff849000859 169->175 170->151 171 7ff8490007db 170->171 171->175 176 7ff8490007dd 171->176 177 7ff849000ad2-7ff849000aeb 173->177 178 7ff849000b41-7ff849000b77 173->178 175->147 180 7ff84900085a-7ff849000872 175->180 176->164 181 7ff8490007df-7ff8490007ed 176->181 177->166 188 7ff849000bac-7ff849000bb0 178->188 189 7ff849000b79-7ff849000b8b 178->189 190 7ff849000874-7ff849000877 180->190 191 7ff8490008e3-7ff8490008f0 180->191 181->155 194 7ff849000bb1 188->194 189->194 196 7ff849000b8d-7ff849000b90 189->196 192 7ff8490008f3 190->192 193 7ff849000879 190->193 191->192 192->147 201 7ff8490008f9-7ff84900090c 192->201 199 7ff8490008c0 193->199 200 7ff84900087b-7ff8490008a2 193->200 198 7ff849000c01-7ff849000c37 194->198 197 7ff849000b92-7ff849000bab 196->197 196->198 197->188 212 7ff849000c6c-7ff849000c6f 198->212 213 7ff849000c39-7ff849000c4b 198->213 204 7ff8490008c3-7ff8490008e1 199->204 205 7ff8490008c2 199->205 200->147 208 7ff8490008a8-7ff8490008be 200->208 214 7ff84900090e-7ff849000912 201->214 215 7ff84900097d-7ff849000990 201->215 204->191 205->204 208->147 208->199 217 7ff849000c71-7ff849000c84 212->217 213->217 218 7ff849000c4d-7ff849000c50 213->218 216 7ff849000993 214->216 219 7ff849000914 214->219 215->216 216->147 222 7ff849000999-7ff8490009b5 216->222 223 7ff849000c52-7ff849000c6a 218->223 224 7ff849000cc1-7ff849000cfe 218->224 221 7ff849000974-7ff84900097b 219->221 221->215 232 7ff8490009b7-7ff8490009cc 222->232 233 7ff8490009d2-7ff8490009e6 222->233 223->212 232->233 233->157 234 7ff8490009e8-7ff8490009ed 233->234 234->221 236 7ff8490009ef 234->236 236->147
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.4415764783.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff849000000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID: A
          • API String ID: 0-3554254475
          • Opcode ID: a409e6e26efcbc6941123caaf0a0dbcf32be769e00a802196cbef986e7084e58
          • Instruction ID: e581799361d47333127215bb49c9e8cd1978a61bd448a2609aa363d4fb117d23
          • Opcode Fuzzy Hash: a409e6e26efcbc6941123caaf0a0dbcf32be769e00a802196cbef986e7084e58
          • Instruction Fuzzy Hash: 7D62FB72C0DAC64FEB66EF2498555B57BF0FF56348F1805FAC089CB093E928A84AC751
          Function 00007FF848F347A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 335 7ff848f347a6-7ff848f347cf 336 7ff848f347da-7ff848f34906 VirtualProtect 335->336 337 7ff848f347d1-7ff848f347d9 335->337 341 7ff848f34908 336->341 342 7ff848f3490e-7ff848f34968 336->342 337->336 341->342
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID: ProtectVirtual
          • String ID:
          • API String ID: 544645111-0
          • Opcode ID: add72a544558c30ed125fdd5bfdeb4302d2d04e9c7ac1f1e79c294ee6d26474b
          • Instruction ID: 0530c95cfa256a764be0fa4674ddb51594de2546e2b116f32a20d04137eaceb1
          • Opcode Fuzzy Hash: add72a544558c30ed125fdd5bfdeb4302d2d04e9c7ac1f1e79c294ee6d26474b
          • Instruction Fuzzy Hash: E1516D7090874C8FDB58DFA8C845BE9BBF1FB66310F1042AED449E7292DB74A885CB45
          Function 00007FF848F33730 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 345 7ff848f33730-7ff848f3373c 347 7ff848f3374b-7ff848f34906 VirtualProtect 345->347 348 7ff848f3373e 345->348 352 7ff848f34908 347->352 353 7ff848f3490e-7ff848f34968 347->353 348->347 352->353
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 26910e22028c5a7fc3056e7d2540271a118bf342e8efe0b8fec0976b0dc4f9b6
          • Instruction ID: 8ee60ab4ee82efce3bbb05cce12aa3a67a5ee8e10a5f1da1fc0c8288fbbb7405
          • Opcode Fuzzy Hash: 26910e22028c5a7fc3056e7d2540271a118bf342e8efe0b8fec0976b0dc4f9b6
          • Instruction Fuzzy Hash: 86514870908A1C8FDB58EF98C885AEDBBF1FB69314F10416ED049E3291DB74A985CB85
          Function 00007FF848F30A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 356 7ff848f30a0d-7ff848f30a19 357 7ff848f30a1b-7ff848f30a23 356->357 358 7ff848f30a24-7ff848f30adf FreeConsole 356->358 357->358 362 7ff848f30ae1 358->362 363 7ff848f30ae7-7ff848f30b2d 358->363 362->363
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID: ConsoleFree
          • String ID:
          • API String ID: 771614528-0
          • Opcode ID: 424073a73099e9ed9c37ab2371225ad3d1896c245bd35c024c2296122da8e97d
          • Instruction ID: f7c36202189de55fc29f92c58a521e314ff1f7049a91960a9a68bb53f101b6b9
          • Opcode Fuzzy Hash: 424073a73099e9ed9c37ab2371225ad3d1896c245bd35c024c2296122da8e97d
          • Instruction Fuzzy Hash: 9C418B3490875C8FEB54EF98D889BEDBBF0FB56311F0002AAD449D7292CB74A885CB41
          Function 00007FF848F304BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 365 7ff848f304ba-7ff848f30a80 368 7ff848f30a88-7ff848f30adf FreeConsole 365->368 369 7ff848f30ae1 368->369 370 7ff848f30ae7-7ff848f30b2d 368->370 369->370
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID: ConsoleFree
          • String ID:
          • API String ID: 771614528-0
          • Opcode ID: 69c462d13083fb14242d3baa2a2989662032da44aea96315fd0228cc75da8a4d
          • Instruction ID: 82be65120f7c86b3011e14ed7ce483f9b3972025b98f4e2f606e144fe4afc1cd
          • Opcode Fuzzy Hash: 69c462d13083fb14242d3baa2a2989662032da44aea96315fd0228cc75da8a4d
          • Instruction Fuzzy Hash: 0E31887090871C8FEB54EF98D889BEDBBF0FB5A311F10416AD40AE7252CB74A885CB50
          Function 00007FF849000D71 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415764783.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff849000000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0749949bce59f3e17ba9ebefd3ab09d97a171e1c2eba06f7518e0df7a94f8961
          • Instruction ID: 050ca4833f8eca6e22735b85689db61d352098f4a6b3bc60823e7c36b615edcf
          • Opcode Fuzzy Hash: 0749949bce59f3e17ba9ebefd3ab09d97a171e1c2eba06f7518e0df7a94f8961
          • Instruction Fuzzy Hash: FB218E2294E7C64FD3079B7868256A4BFE0AF57168F1E41EFC088CB1E3D54D5889C322
          Function 00007FF849000A07 Relevance: .0, Instructions: 21COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415764783.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff849000000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 814d954a0551badbe6732faaa8484f4e0dce09c44fdadc4559f067557af8e3e5
          • Instruction ID: d7036bbc747e10aea5624204ca33e912d4d1681f27afd1c597d07afc56d4d5a0
          • Opcode Fuzzy Hash: 814d954a0551badbe6732faaa8484f4e0dce09c44fdadc4559f067557af8e3e5
          • Instruction Fuzzy Hash: D3E01A31A046288EDF64EB08DC40BDDB3B1EB84350F0041E6C44DE3241CB306E85CF82

          Non-executed Functions

          Function 00007FF848F30620 Relevance: 3.0, Strings: 2, Instructions: 457COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID: pjH$iH
          • API String ID: 0-290466664
          • Opcode ID: 08aa39d98818114c4ceccd8bc33df760b98ab87f018b53d80abe15f66a48eeb7
          • Instruction ID: c0bb7302b0b6e12a76613370b13a47f55130cff0c7330adaccf9d31e15db541a
          • Opcode Fuzzy Hash: 08aa39d98818114c4ceccd8bc33df760b98ab87f018b53d80abe15f66a48eeb7
          • Instruction Fuzzy Hash: 8B025A71D19A198FEBA5EF18D8997E9B7B1FF49340F1001EAD00DA3281DB386A84CF55
          Function 00007FF848F344F5 Relevance: .3, Instructions: 257COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.4415324515.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff848f30000_SecuriteInfo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 723e736b14f1b2fcd65aabf2c875c718607e50da5c02d8b23abac577621b7767
          • Instruction ID: 042a4f4ebabacfe1da3c1166f5d4f263e452e4e7e44c999d0c128e49b8b53120
          • Opcode Fuzzy Hash: 723e736b14f1b2fcd65aabf2c875c718607e50da5c02d8b23abac577621b7767
          • Instruction Fuzzy Hash: 5281B47090CA8C8FEBA8EF58C8457E977E1FF69310F10412AE84EC7291DB749985CB85