Loading ...

Play interactive tourEdit tour

Analysis Report .exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167254
Start date:25.08.2019
Start time:18:08:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name: .exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.expl.evad.winEXE@8/14@0/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 96.1% (good quality ratio 70%)
  • Quality average: 52.2%
  • Quality standard deviation: 39.1%
HCA Information:
  • Successful, ratio: 68%
  • Number of executed functions: 74
  • Number of non-executed functions: 92
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection11Masquerading12Input Capture1System Time Discovery12Remote File Copy1Input Capture1Data Encrypted1Uncommonly Used Port1
Replication Through Removable MediaExploitation for Client Execution2Port MonitorsAccessibility FeaturesSoftware Packing11Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCommonly Used Port1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSecurity Software Discovery51Logon ScriptsInput CaptureData EncryptedRemote File Copy1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information11Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\services.exeAvira: Label: BDS/Backdoor.fszhy
Source: C:\Windows\java.exeAvira: Label: WORM/Mydoom.O.1
Source: C:\Windows\services.exeAvira: Label: BDS/Backdoor.fszhy
Source: C:\Users\user\AppData\Local\Temp\services.exeJoe Sandbox ML: detected
Source: C:\Windows\java.exeJoe Sandbox ML: detected
Source: C:\Windows\services.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: .exeAvira: Label: WORM/Mydoom.O.1
Source: .exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\services.exevirustotal: Detection: 91%Perma Link
Source: C:\Users\user\AppData\Local\Temp\services.exemetadefender: Detection: 94%Perma Link
Source: C:\Windows\services.exevirustotal: Detection: 91%Perma Link
Source: C:\Windows\services.exemetadefender: Detection: 94%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2. .exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 0.0. .exe.500000.2.unpackAvira: Label: WORM/Mydoom.MA
Source: 0.0. .exe.500000.1.unpackAvira: Label: WORM/Mydoom.MA
Source: 4.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 3.2.java.exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 4.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 7.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 1.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 1.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 3.0.java.exe.500000.0.unpackAvira: Label: WORM/Mydoom.MA
Source: 0.0. .exe.500000.0.unpackAvira: Label: WORM/Mydoom.MA
Source: 0.1. .exe.500000.0.unpackAvira: Label: WORM/Mydoom.M
Source: 4.1.services.exe.400000.0.unpackAvira: Label: WORM/Mydoom.N.2
Source: 7.1.services.exe.400000.0.unpackAvira: Label: WORM/Mydoom.N.2
Source: 7.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 1.1.services.exe.400000.0.unpackAvira: Label: WORM/Mydoom.N.2
Source: 3.1.java.exe.500000.0.unpackAvira: Label: WORM/Mydoom.M

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,0_2_005052AD
Source: C:\Windows\java.exeCode function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,3_2_005052AD

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exeJump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49713 -> 15.139.236.20:1034
Source: global trafficTCP traffic: 192.168.2.5:49714 -> 15.42.229.113:1034
Source: global trafficTCP traffic: 192.168.2.5:49715 -> 16.50.1.34:1034
Source: global trafficTCP traffic: 192.168.2.5:49716 -> 217.44.192.139:1034
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 217.44.192.139 217.44.192.139
Source: Joe Sandbox ViewIP Address: 15.139.236.20 15.139.236.20
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: BT-UK-ASBTnetUKRegionalnetworkGB BT-UK-ASBTnetUKRegionalnetworkGB
Source: Joe Sandbox ViewASN Name: HPES-Hewlett-PackardCompanyUS HPES-Hewlett-PackardCompanyUS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00506AB8 select,recv,0_2_00506AB8
Found strings which match to known social media urlsShow sources
Source: .exe, 00000000.00000002.693624924.0000000000501000.00000040.00020000.sdmp, java.exe, 00000003.00000002.1020455908.0000000000501000.00000040.00020000.sdmpString found in binary or memory: HLOToFrom%s %sSMTPServerSoftware\Microsoft\%s %s Manager\%ssInternetAccountmx.mail.smtp..logzincite"%s"servicesurlmon.dllURLDownloadToCacheFileAhttp://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.com/web/results?q=%s&kgs=0&kls=0&n=%dhttp://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&num=%dhttp://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s%s+%s-contact+replymailtoU equals www.yahoo.com (Yahoo)
Source: .exe, 00000000.00000002.693624924.0000000000501000.00000040.00020000.sdmp, java.exe, 00000003.00000002.1020455908.0000000000501000.00000040.00020000.sdmpString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: .exe, java.exeString found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= equals www.yahoo.com (Yahoo)
Source: .exe, 00000000.00000002.693624924.0000000000501000.00000040.00020000.sdmp, java.exe, 00000003.00000002.1020455908.0000000000501000.00000040.00020000.sdmpString found in binary or memory: yahoo equals www.yahoo.com (Yahoo)
Source: .exe, java.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: .exe, java.exeString found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
Source: .exe, 00000000.00000002.693624924.0000000000501000.00000040.00020000.sdmp, java.exe, 00000003.00000002.1020455908.0000000000501000.00000040.00020000.sdmpString found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c
Source: .exe, java.exeString found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
Source: .exe, java.exeString found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
Source: .exe, java.exeString found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: services.exe, 00000001.00000002.1018981125.0000000000800000.00000004.00000001.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\services.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\java.exeMutant created: \Sessions\1\BaseNamedObjects\138727root138727root1138727root138727root11
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1232
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\ .exeFile deleted: C:\Windows\java.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005077300_2_00507730
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005011C90_2_005011C9
Source: C:\Windows\java.exeCode function: 3_2_005077303_2_00507730
Source: C:\Windows\java.exeCode function: 3_2_005011C93_2_005011C9
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 980
PE file contains strange resourcesShow sources
Source: .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: java.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\ .exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ .exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\java.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.expl.evad.winEXE@8/14@0/6
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Local\Temp\zincite.logJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
Source: unknownProcess created: C:\Windows\services.exe C:\Windows\services.exe
Source: unknownProcess created: C:\Windows\java.exe 'C:\Windows\java.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe
Source: unknownProcess created: C:\Windows\services.exe 'C:\Windows\services.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 980
Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\services.exe C:\Windows\services.exeJump to behavior
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exeJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,0_2_00503620
PE file contains sections with non-standard namesShow sources
Source: services.exe.0.drStatic PE information: section name: UPX2
Source: services.exe.3.drStatic PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0050A42D push ds; ret 0_2_0050A42E
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0050DEA6 push ds; ret 0_2_0050DEBE
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0050A501 push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0050A50F push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00509BA2 push edx; retf 0_2_00509BAB
Source: C:\Windows\services.exeCode function: 1_2_00405A55 push es; iretd 1_2_00405A8E
Source: C:\Windows\java.exeCode function: 3_2_0050A42D push ds; ret 3_2_0050A42E
Source: C:\Windows\java.exeCode function: 3_2_0050DEA6 push ds; ret 3_2_0050DEBE
Source: C:\Windows\java.exeCode function: 3_2_0050A501 push ecx; retf 3_2_0050A53F
Source: C:\Windows\java.exeCode function: 3_2_0050A50F push ecx; retf 3_2_0050A53F
Source: C:\Windows\java.exeCode function: 3_2_00509BA2 push edx; retf 3_2_00509BAB
Source: C:\Users\user\AppData\Local\Temp\services.exeCode function: 4_2_00405A55 push es; iretd 4_2_00405A8E
Source: C:\Windows\services.exeCode function: 7_2_00405A55 push es; iretd 7_2_00405A8E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Creates processes with suspicious namesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: \ .exeJump to behavior
Drops PE files with benign system namesShow sources
Source: C:\Windows\java.exeFile created: C:\Users\user\AppData\Local\Temp\services.exeJump to dropped file
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\services.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\java.exe
Source: C:\Users\user\Desktop\ .exeExecutable created and started: C:\Windows\services.exeJump to behavior
Exploit detected, runtime environment dropped PE fileShow sources
Source: C:\Windows\java.exeFile created: services.exe.3.drJump to dropped file
Drops PE filesShow sources
Source: C:\Windows\java.exeFile created: C:\Users\user\AppData\Local\Temp\services.exeJump to dropped file
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\java.exeJump to dropped file
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\services.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\java.exeJump to dropped file
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\services.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\services.exeWindow / User API: threadDelayed 1542Jump to behavior
Source: C:\Windows\java.exeWindow / User API: threadDelayed 656Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeWindow / User API: threadDelayed 431Jump to behavior
Source: C:\Windows\services.exeWindow / User API: threadDelayed 402Jump to behavior
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\java.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-3537
Source: C:\Users\user\Desktop\ .exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-3533
Source: C:\Windows\services.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-947
Source: C:\Users\user\AppData\Local\Temp\services.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-947
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\ .exe TID: 1216Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 1216Thread sleep count: 58 > 30Jump to behavior
Source: C:\Windows\services.exe TID: 5076Thread sleep count: 1542 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep count: 63 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep count: 44 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep count: 93 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep count: 135 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep count: 656 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 3112Thread sleep time: -49200s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2612Thread sleep count: 431 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2612Thread sleep time: -107750s >= -30000sJump to behavior
Source: C:\Windows\services.exe TID: 2512Thread sleep count: 402 > 30Jump to behavior
Source: C:\Windows\services.exe TID: 2512Thread sleep time: -100500s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\ .exeLast function: Thread delayed
Source: C:\Windows\java.exeLast function: Thread delayed
Source: C:\Windows\java.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\services.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\services.exeLast function: Thread delayed
Source: C:\Windows\services.exeLast function: Thread delayed
Source: C:\Windows\services.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h0_2_00505717
Source: C:\Windows\java.exeCode function: 3_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h3_2_00505717
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,0_2_005052AD
Source: C:\Windows\java.exeCode function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,3_2_005052AD
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: services.exe, 00000001.00000002.1019011202.0000000000812000.00000004.00000001.sdmp, services.exe, 00000004.00000002.1022472977.0000000000812000.00000004.00000001.sdmp, services.exe, 00000007.00000002.1023793212.0000000000800000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_3f3714ea22baf985.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\ .exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\ .exeProcess queried: DebugPortJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,0_2_00503620
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,HeapFree,0_2_00504E00
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\services.exe C:\Windows\services.exeJump to behavior
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: .exe, 00000000.00000000.667350483.0000000000F00000.00000002.00000001.sdmp, services.exe, 00000001.00000002.1019146075.0000000000F90000.00000002.00000001.sdmp, java.exe, 00000003.00000002.1020921357.0000000000E20000.00000002.00000001.sdmp, services.exe, 00000004.00000002.1022539979.0000000000F90000.00000002.00000001.sdmp, services.exe, 00000007.00000002.1023900826.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: .exe, 00000000.00000000.667350483.0000000000F00000.00000002.00000001.sdmp, services.exe, 00000001.00000002.1019146075.0000000000F90000.00000002.00000001.sdmp, java.exe, 00000003.00000002.1020921357.0000000000E20000.00000002.00000001.sdmp, services.exe, 00000004.00000002.1022539979.0000000000F90000.00000002.00000001.sdmp, services.exe, 00000007.00000002.1023900826.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: .exe, 00000000.00000000.667350483.0000000000F00000.00000002.00000001.sdmp, services.exe, 00000001.00000002.1019146075.0000000000F90000.00000002.00000001.sdmp, java.exe, 00000003.00000002.1020921357.0000000000E20000.00000002.00000001.sdmp, services.exe, 00000004.00000002.1022539979.0000000000F90000.00000002.00000001.sdmp, services.exe, 00000007.00000002.1023900826.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: .exe, 00000000.00000000.667350483.0000000000F00000.00000002.00000001.sdmp, services.exe, 00000001.00000002.1019146075.0000000000F90000.00000002.00000001.sdmp, java.exe, 00000003.00000002.1020921357.0000000000E20000.00000002.00000001.sdmp, services.exe, 00000004.00000002.1022539979.0000000000F90000.00000002.00000001.sdmp, services.exe, 00000007.00000002.1023900826.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,0_2_005032CB
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,0_2_005032CB

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,0_2_0050311C
Source: C:\Windows\java.exeCode function: 3_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress,3_2_0050311C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\services.exeCode function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,1_2_00401F0E
Source: C:\Users\user\AppData\Local\Temp\services.exeCode function: 4_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,4_2_00401F0E
Source: C:\Windows\services.exeCode function: 7_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,7_2_00401F0E

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 167254 Sample: .exe Startdate: 25/08/2019 Architecture: WINDOWS Score: 88 36 Antivirus or Machine Learning detection for sample 2->36 38 Detected TCP or UDP traffic on non-standard ports 2->38 40 Drops executables to the windows directory (C:\Windows) and starts them 2->40 42 Drops PE files with benign system names 2->42 6        .exe 1 5 2->6         started        10 java.exe 1 2->10         started        12 services.exe 2->12         started        process3 file4 22 C:\Windows\services.exe, PE32 6->22 dropped 24 C:\Windows\java.exe, PE32 6->24 dropped 26 C:\Windows\java.exe:Zone.Identifier, ASCII 6->26 dropped 44 Creates processes with suspicious names 6->44 46 Drops executables to the windows directory (C:\Windows) and starts them 6->46 14 services.exe 1 1 6->14         started        18 WerFault.exe 24 10 6->18         started        28 C:\Users\user\AppData\Local\...\services.exe, PE32 10->28 dropped 48 Antivirus or Machine Learning detection for dropped file 10->48 50 Exploit detected, runtime environment starts unknown processes 10->50 52 Exploit detected, runtime environment dropped PE file 10->52 54 Drops PE files with benign system names 10->54 20 services.exe 10->20         started        signatures5 process6 dnsIp7 30 15.139.236.20, 1034 HPES-Hewlett-PackardCompanyUS United States 14->30 32 217.44.192.139, 1034 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 14->32 34 4 other IPs or domains 14->34 56 Antivirus or Machine Learning detection for dropped file 14->56 58 Multi AV Scanner detection for dropped file 14->58 signatures8 60 Detected TCP or UDP traffic on non-standard ports 32->60

Simulations

Behavior and APIs

TimeTypeDescription
18:09:25API Interceptor4x Sleep call for process: .exe modified
18:09:26AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM C:\Windows\java.exe
18:09:34AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Windows\services.exe

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
.exe100%AviraWORM/Mydoom.O.1
.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\services.exe100%AviraBDS/Backdoor.fszhy
C:\Windows\java.exe100%AviraWORM/Mydoom.O.1
C:\Windows\services.exe100%AviraBDS/Backdoor.fszhy
C:\Users\user\AppData\Local\Temp\services.exe100%Joe Sandbox ML
C:\Windows\java.exe100%Joe Sandbox ML
C:\Windows\services.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\services.exe91%virustotalBrowse
C:\Users\user\AppData\Local\Temp\services.exe97%metadefenderBrowse
C:\Windows\services.exe91%virustotalBrowse
C:\Windows\services.exe97%metadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2. .exe.500000.0.unpack100%AviraTR/Spy.Agent.afeDownload File
0.0. .exe.500000.2.unpack100%AviraWORM/Mydoom.MADownload File
0.0. .exe.500000.1.unpack100%AviraWORM/Mydoom.MADownload File
4.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
3.2.java.exe.500000.0.unpack100%AviraTR/Spy.Agent.afeDownload File
4.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
7.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
1.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
1.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
3.0.java.exe.500000.0.unpack100%AviraWORM/Mydoom.MADownload File
0.0. .exe.500000.0.unpack100%AviraWORM/Mydoom.MADownload File
0.1. .exe.500000.0.unpack100%AviraWORM/Mydoom.MDownload File
4.1.services.exe.400000.0.unpack100%AviraWORM/Mydoom.N.2Download File
7.1.services.exe.400000.0.unpack100%AviraWORM/Mydoom.N.2Download File
7.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1Download File
1.1.services.exe.400000.0.unpack100%AviraWORM/Mydoom.N.2Download File
3.1.java.exe.500000.0.unpack100%AviraWORM/Mydoom.MDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.altavista.com/web/results?q=%s&kgs=0&kls=00%virustotalBrowse
http://www.altavista.com/web/results?q=%s&kgs=0&kls=00%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
217.44.192.13933transcrip.exeGet hashmaliciousBrowse
    6q3aWhXSLKT.exeGet hashmaliciousBrowse
      10instruction.htm .exeGet hashmaliciousBrowse
        43blgnqvilEA.exeGet hashmaliciousBrowse
          57kF2WjZwnPS.exeGet hashmaliciousBrowse
            31TEX.exeGet hashmaliciousBrowse
              92mail98@vip.son.exeGet hashmaliciousBrowse
                55Ve.exeGet hashmaliciousBrowse
                  15messag.exeGet hashmaliciousBrowse
                    3fil.exeGet hashmaliciousBrowse
                      58Lette.exeGet hashmaliciousBrowse
                        34LETTE.exeGet hashmaliciousBrowse
                          .exeGet hashmaliciousBrowse
                            7transcrip.exeGet hashmaliciousBrowse
                              36transcrip.exeGet hashmaliciousBrowse
                                37noemail.exeGet hashmaliciousBrowse
                                  43document.exeGet hashmaliciousBrowse
                                    3noemail.exeGet hashmaliciousBrowse
                                      7mail.exeGet hashmaliciousBrowse
                                        14instruction.exeGet hashmaliciousBrowse
                                          15.139.236.206q3aWhXSLKT.exeGet hashmaliciousBrowse
                                            43blgnqvilEA.exeGet hashmaliciousBrowse
                                              57kF2WjZwnPS.exeGet hashmaliciousBrowse
                                                31TEX.exeGet hashmaliciousBrowse
                                                  92mail98@vip.son.exeGet hashmaliciousBrowse
                                                    55Ve.exeGet hashmaliciousBrowse
                                                      3fil.exeGet hashmaliciousBrowse
                                                        58Lette.exeGet hashmaliciousBrowse
                                                          34LETTE.exeGet hashmaliciousBrowse
                                                            .exeGet hashmaliciousBrowse
                                                              26LMZJ1M1U1i.exeGet hashmaliciousBrowse
                                                                7transcrip.exeGet hashmaliciousBrowse
                                                                  36transcrip.exeGet hashmaliciousBrowse
                                                                    33rmsupq.exeGet hashmaliciousBrowse
                                                                      3noemail.exeGet hashmaliciousBrowse
                                                                        7mail.exeGet hashmaliciousBrowse
                                                                          14instruction.exeGet hashmaliciousBrowse
                                                                            .exeGet hashmaliciousBrowse
                                                                              31message.exeGet hashmaliciousBrowse
                                                                                .exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  No context

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  BT-UK-ASBTnetUKRegionalnetworkGB .exeGet hashmaliciousBrowse
                                                                                  • 217.43.191.63
                                                                                  kovter.exeGet hashmaliciousBrowse
                                                                                  • 86.179.228.220
                                                                                  33transcrip.exeGet hashmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 81.152.168.204
                                                                                  emotet.docGet hashmaliciousBrowse
                                                                                  • 217.35.83.153
                                                                                  Paypal.docGet hashmaliciousBrowse
                                                                                  • 217.35.83.153
                                                                                  53letter.exeGet hashmaliciousBrowse
                                                                                  • 194.74.152.105
                                                                                  23d8eyq8bMXu.exeGet hashmaliciousBrowse
                                                                                  • 217.47.228.40
                                                                                  6q3aWhXSLKT.exeGet hashmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  10instruction.htm .exeGet hashmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 81.152.168.204
                                                                                  43blgnqvilEA.exeGet hashmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  http://raminkb.com/wp-admin/3047863JEN/biz/SmallbusinessGet hashmaliciousBrowse
                                                                                  • 213.123.182.53
                                                                                  1RE-UIHM-3514601.docGet hashmaliciousBrowse
                                                                                  • 213.123.182.53
                                                                                  67Invoice_No_U5204.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  FILE_510803.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  17Untitled-Z9578.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  1Inv_No_D914934.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  5Invoice_No_C7460.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  19Inv_No_68813.docGet hashmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  HPES-Hewlett-PackardCompanyUS33transcrip.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  IT-HELP DESK 03-01-2018.pdfGet hashmaliciousBrowse
                                                                                  • 168.87.137.34
                                                                                  6q3aWhXSLKT.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  43blgnqvilEA.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  23I4bYHvc3VP.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  57kF2WjZwnPS.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  31TEX.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  37MESSAG.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  92mail98@vip.son.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  9chenlp@cmc.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  55Ve.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  3fil.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  58Lette.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  34LETTE.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  8Lette.exeGet hashmaliciousBrowse
                                                                                  • 15.124.29.93
                                                                                  26LMZJ1M1U1i.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  45ghostviewer@youtube.exeGet hashmaliciousBrowse
                                                                                  • 15.139.236.61

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  C:\Users\user\AppData\Local\Temp\services.exelxy006@qisheng.comGet hashmaliciousBrowse
                                                                                    qisheng.comGet hashmaliciousBrowse
                                                                                      yu@etfd.comGet hashmaliciousBrowse
                                                                                        esun@esunchina.comGet hashmaliciousBrowse
                                                                                          Instruction.scrGet hashmaliciousBrowse
                                                                                            insurance@safecompare.comGet hashmaliciousBrowse
                                                                                              document.exeGet hashmaliciousBrowse
                                                                                                jll072@qisheng.comGet hashmaliciousBrowse
                                                                                                  caigou7@zhendongshoes.comGet hashmaliciousBrowse
                                                                                                    .exeGet hashmaliciousBrowse
                                                                                                      .exeGet hashmaliciousBrowse
                                                                                                        lr039@qisheng.comGet hashmaliciousBrowse
                                                                                                          qisheng.comGet hashmaliciousBrowse
                                                                                                            elamrani@smesi.comGet hashmaliciousBrowse
                                                                                                              .comGet hashmaliciousBrowse
                                                                                                                service_yido@xx0091.maiphone.comGet hashmaliciousBrowse
                                                                                                                  zhendongshoes.comGet hashmaliciousBrowse
                                                                                                                    .comGet hashmaliciousBrowse
                                                                                                                      .exeGet hashmaliciousBrowse
                                                                                                                        yj075@qisheng.comGet hashmaliciousBrowse

                                                                                                                          Screenshots

                                                                                                                          Thumbnails

                                                                                                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.