Analysis Report sasas.bin
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Delete shadow copy via WMIC | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Spam, unwanted Advertisements and Ransom Demands: |
---|
Deletes shadow drive data (may be related to ransomware) | Show sources |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
System Summary: |
---|
Detected VMProtect packer | Show sources |
Source: | Static PE information: |
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_00DE2BF0 |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_01717146 |
Hooking and other Techniques for Hiding and Protection: |
---|
Overwrites code with unconditional jumps - possibly settings hooks in foreign process | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect debuggers by setting the trap flag for special instructions | Show sources |
Source: | Special instruction interceptor: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Last function: |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | DLL Side-Loading1 | Process Injection1 | Modify Registry1 | Credential API Hooking1 | Security Software Discovery441 | Remote Services | Credential API Hooking1 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Virtualization/Sandbox Evasion15 | LSASS Memory | Virtualization/Sandbox Evasion15 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | File and Directory Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | System Information Discovery224 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | File Deletion1 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
69% | Virustotal | Browse | ||
51% | Metadefender | Browse | ||
83% | ReversingLabs | Win32.Ransomware.RagnarLocker | ||
100% | Avira | TR/Ransom.RagnarLocker.mquxw | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 323226 |
Start date: | 26.11.2020 |
Start time: | 15:06:19 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | sasas.bin (renamed file extension from bin to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 33 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.rans.evad.winEXE@5/7@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:07:18 | API Interceptor | |
15:07:19 | API Interceptor | |
15:07:32 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\sasas.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 129 |
Entropy (8bit): | 5.323600488446077 |
Encrypted: | false |
SSDEEP: | 3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn |
MD5: | A526B9E7C716B3489D8CC062FBCE4005 |
SHA1: | 2DF502A944FF721241BE20A9E449D2ACD07E0312 |
SHA-256: | E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066 |
SHA-512: | D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\sasas.exe |
File Type: | |
Category: | modified |
Size (bytes): | 129 |
Entropy (8bit): | 5.323600488446077 |
Encrypted: | false |
SSDEEP: | 3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn |
MD5: | A526B9E7C716B3489D8CC062FBCE4005 |
SHA1: | 2DF502A944FF721241BE20A9E449D2ACD07E0312 |
SHA-256: | E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066 |
SHA-512: | D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10998 |
Entropy (8bit): | 3.757609641411303 |
Encrypted: | false |
SSDEEP: | 96:dS0bTbspOPSmhK1Dg3frpXIQcQvc6QcEDMcw3DL+HbHg/8BRTf3o8Fa9iVf9Tx+T:UyRHBUZMXoj+l/u7s5S274ItkIlr |
MD5: | 534C81D2361CB3D49750D1EA0B9689E3 |
SHA1: | AC36C5C80682A9D292D4D9E6727883D450EEFD03 |
SHA-256: | 17150CF8F041FBEDBD87058CB08F66039C7DB00810D8BC152CA98AD8F2C7DFC8 |
SHA-512: | 789F6E2FEA41A9E1127789D927598E5B8DE807654C7E5547AB646300F07EE2F9AD032DC8C1FDBD1DDCF6AD9BA7235859C88045D4D14999300858A960D76091F7 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 96112 |
Entropy (8bit): | 2.147515649152545 |
Encrypted: | false |
SSDEEP: | 768:IbZqk2dEr5UZB6RDnSO0rpcWII1s0Hn1/o:IdqVdcSRtGMHnxo |
MD5: | 165DF6B8E73E46056C3CADD8CC59336D |
SHA1: | 6735C99170193473B40657290550BE8FC31A7B68 |
SHA-256: | 85119638645B486CB5E43648D554A72C29C0064659FC2F881D4CA9B8B490DE53 |
SHA-512: | E6D0F3BF321DFBFD553CC76DBDFBC3355C975A13D68C8A7759229EDC2944B1C488916F54CDC3E1C28DC4AF3935E44D3F08E17574E6CBDCDD7E4CFC03966D8E2B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8296 |
Entropy (8bit): | 3.6942186959084853 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiUD6i6YSqSU94gmfFESsCpr189bsTn3sfc+CLm:RrlsNi46i6Y/SU94gmfFES2sTn8fcji |
MD5: | 18042B4F61E695247A0BC967E65503BB |
SHA1: | FB392B93076BB568E90905794FA72A91D6863B97 |
SHA-256: | 7B847C9E288F15AD12B0154275C9FA668369EC6E93A10741A0DC600601A018BA |
SHA-512: | 9E0DDDE5E5A7613293493FBAF596A9E749EA1BBC6D9AA709E74CEA7F37DA2DF19EA6F7F86291054454C23B354C4897A13372B7BBC21ED91EED0D7AD93A6E0EFC |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4542 |
Entropy (8bit): | 4.425034893696035 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs6JgtWI9VhWSC8BL8fm8M4JlHFl+q8ST6owvcI/d:uITfIywSN+JpJkvcI/d |
MD5: | D83BFEB451C41012FC182B270CE172BA |
SHA1: | DC3F0E35CBECF128784110E0400AAE1B4BC6E4D5 |
SHA-256: | 78EC3E4419A8BB9EB8782D877AE0E2D6EFD46C20A7605A025A9963F1C180111D |
SHA-512: | 036CF65F36D2FDC24DB04CD3FED9D5140EFA029F3EFE54C5867AA32A877BB14A94619CA71EBDC6C58E37D9E9F9C67866EEBC05D62B4FA2C9AF638A11032809C2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\wbem\WMIC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 42 |
Entropy (8bit): | 4.386015934528989 |
Encrypted: | false |
SSDEEP: | 3:8yzGc7k2VDl9l:nzGZ23D |
MD5: | B20F1F152093587041B9C1028E2A40C3 |
SHA1: | FF54B6FC7C08B855298B1DF87C378514FA8A26AD |
SHA-256: | DFAB6BFA911852F0125EA3028AA22E4144DE39A4E4B99B2DCF4E8F3BF439D280 |
SHA-512: | 6978EAA7CE8C145EE082A9355CB55419C6C639327F16252AED8DB6FF43AA87365D16B3A7540B706F71B3F26F860946248E3957E08A818552F584B38D1BAD29E6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.954873813010411 |
TrID: |
|
File name: | sasas.exe |
File size: | 6026592 |
MD5: | 14e0a802b64a6ce08f1ee408655257e4 |
SHA1: | 5c7b10241c27005b804119be34b18d9ae38c2d39 |
SHA256: | afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68 |
SHA512: | a885622588a200097f5bd8e22ccf96d370ceb53883e4b680fcbd19a1d38a1ed81558f40fce7941e95da708508a842b75a58937e1d7d10c4e0f0d8ad50e82086c |
SSDEEP: | 98304:mRsFIgIWUvzk/KDB/C3Cf5nb+oSkcjXzz7dO+frPASXud8oisVQjyKvCzPIpeAZ6:mRsFvIi/KDB/C3CBnb3c7dVfrodd3vVh |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................R........I...........@..........................p........[...@...........................E.O.. |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x898ceb |
Entrypoint Section: | .vmp1 |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE |
Time Stamp: | 0x5F8EFF91 [Tue Oct 20 15:17:37 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 28d69c6f886ae4c27716c926224c7500 |
Authenticode Signature |
---|
Signature Valid: | true |
Signature Issuer: | CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 3D61582FF1B6EC9B8013B4F425A54C8F |
Thumbprint SHA-1: | 701C1EE5D56DFBE29953C3B28141CBA483B9CC41 |
Thumbprint SHA-256: | 7E1DD656F5444C88D61D56286B7C4DCE3C2071D921FBA4800E95C672BCF0C1F8 |
Serial: | 6865294F67F0C3BB2E191F75 |
Entrypoint Preview |
---|
Instruction |
---|
push 5D49D206h |
call 00007F8620A2AB37h |
not eax |
test di, si |
jmp 00007F8620F5DE3Fh |
not cl |
cmp ebp, eax |
not al |
or cl, al |
jmp 00007F8620AF9CE9h |
dec eax |
clc |
bswap eax |
jmp 00007F86209C77BFh |
mov ecx, dword ptr [ebp+00h] |
mov ax, word ptr [ecx] |
add ebp, 00000002h |
shr ch, 00000002h |
mov word ptr [ebp+00h], ax |
neg ch |
ror cl, FFFFFFF0h |
sub edi, 00000004h |
mov ecx, dword ptr [edi] |
cmc |
jmp 00007F8620AA9823h |
neg edx |
jmp 00007F8620F6BE53h |
movzx ax, byte ptr [ebp+00h] |
mov cl, byte ptr [ebp+02h] |
lea ebp, dword ptr [ebp-00000002h] |
cmc |
cmp cx, 43A1h |
shl al, cl |
bswap ecx |
movsx cx, cl |
mov ecx, ebx |
mov word ptr [ebp+04h], ax |
setl ch |
movzx ecx, bp |
pushfd |
mov ch, dl |
shr ecx, cl |
shld ecx, esp, 00000082h |
pop dword ptr [ebp+00h] |
btc cx, sp |
add cx, 12D0h |
sub edi, 00000004h |
mov ecx, dword ptr [edi] |
xor ecx, ebx |
test ah, al |
sub ecx, 688661C6h |
xor ecx, 050107A6h |
ror ecx, 02h |
sub ecx, 2B5C2A4Ah |
xor ebx, ecx |
add esi, ecx |
jmp 00007F8620A97AA8h |
jmp 00007F86209FD96Fh |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x45dcac | 0xc4f | .vmp1 |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3eb338 | 0xf0 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x956000 | 0x1d5 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5bd800 | 0x1d60 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x955000 | 0x604 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x954740 | 0x40 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x52c000 | 0x88 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x825f | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xa000 | 0x1714 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xc000 | 0xcf8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.didata | 0xd000 | 0x2e70 | 0x3000 | False | 0.502685546875 | data | 4.91188765333 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.vmp0 | 0x10000 | 0x38a02b | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.vmp1 | 0x39b000 | 0x5b9810 | 0x5b9a00 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.reloc | 0x955000 | 0x604 | 0x800 | False | 0.4111328125 | data | 3.49390067516 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x956000 | 0x1d5 | 0x200 | False | 0.529296875 | data | 4.71767883295 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_MANIFEST | 0x956058 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetTickCount |
USER32.dll | wsprintfW |
ADVAPI32.dll | CryptGenRandom |
SHELL32.dll | SHGetSpecialFolderPathW |
SHLWAPI.dll | StrStrIA |
CRYPT32.dll | CryptDecodeObjectEx |
WTSAPI32.dll | WTSSendMessageW |
KERNEL32.dll | VirtualQuery |
USER32.dll | GetProcessWindowStation |
KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 26, 2020 15:07:05.457396984 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:05.484488964 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:06.514277935 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:06.541486979 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:07.237894058 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:07.264866114 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:08.917826891 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:08.944993973 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:09.912791014 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:09.940043926 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:10.695554018 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:10.722579002 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:11.381123066 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:11.426606894 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:12.784346104 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:12.830085039 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:14.119735956 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:14.146728992 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:18.045667887 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:18.072876930 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:30.353518009 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:30.380543947 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:31.103127956 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:31.130044937 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:31.659073114 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:31.704303980 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:33.355969906 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:33.383232117 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:33.856858969 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:33.884130955 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:36.656949997 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:36.705231905 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:54.496201992 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:54.541548014 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:54.972058058 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:55.017463923 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:55.466775894 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:55.512239933 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:55.623167038 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:55.650033951 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:55.814353943 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:55.859702110 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:56.186002970 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:56.231806993 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:56.614221096 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:56.641377926 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:57.167743921 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:57.213093042 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:57.767147064 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:57.812489986 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:58.919801950 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:58.965466022 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:07:59.317215919 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:07:59.362976074 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:06.696568966 CET | 58722 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:06.699286938 CET | 56596 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:06.699316978 CET | 64101 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:06.723807096 CET | 53 | 58722 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:06.726361990 CET | 53 | 64101 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:06.726406097 CET | 53 | 56596 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:08.141215086 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:08.168431044 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:09.800626040 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:09.845676899 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:13.021620035 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:13.068710089 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:43.179054022 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:43.206501961 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Nov 26, 2020 15:08:44.835546970 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 26, 2020 15:08:44.896513939 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:07:12 |
Start date: | 26/11/2020 |
Path: | C:\Users\user\Desktop\sasas.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xde0000 |
File size: | 6026592 bytes |
MD5 hash: | 14E0A802B64A6CE08F1EE408655257E4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 15:07:19 |
Start date: | 26/11/2020 |
Path: | C:\Windows\System32\wbem\WMIC.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6fcec0000 |
File size: | 521728 bytes |
MD5 hash: | EC80E603E0090B3AC3C1234C2BA43A0F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 15:07:19 |
Start date: | 26/11/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:07:29 |
Start date: | 26/11/2020 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00DE2BF0, Relevance: .1, Instructions: 85COMMON
C-Code - Quality: 28% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE2D60, Relevance: .0, Instructions: 40COMMON
C-Code - Quality: 27% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|