Play interactive tour

Edit tour

Analysis Report sasas.bin

Overview

General Information

Sample Name:	sasas.bin (renamed file extension from bin to exe)
Analysis ID:	323226
MD5:	14e0a802b64a6ce08f1ee408655257e4
SHA1:	5c7b10241c27005b804119be34b18d9ae38c2d39
SHA256:	afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68
Tags:	PackedRagnarLockerVMProtect
Most interesting Screenshot:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Delete shadow copy via WMIC

Deletes shadow drive data (may be related to ransomware)

Detected VMProtect packer

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect debuggers by setting the trap flag for special instructions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

sasas.exe (PID: 5388 cmdline: 'C:\Users\user\Desktop\sasas.exe' MD5: 14E0A802B64A6CE08F1EE408655257E4)

WMIC.exe (PID: 6388 cmdline: wmic.exe shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1004 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Delete shadow copy via WMIC

Show sources

Source: Process started

Author: Joe Security: Data: Command: wmic.exe shadowcopy delete, CommandLine: wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Users\user\Desktop\sasas.exe' , ParentImage: C:\Users\user\Desktop\sasas.exe, ParentProcessId: 5388, ProcessCommandLine: wmic.exe shadowcopy delete, ProcessId: 6388

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sasas.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: sasas.exe	Virustotal: Detection: 68%	Perma Link
Source: sasas.exe	Metadefender: Detection: 51%	Perma Link
Source: sasas.exe	ReversingLabs: Detection: 82%

Machine Learning detection for sample

Show sources

Source: sasas.exe

Joe Sandbox ML: detected

Source: sasas.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: sasas.exe	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: sasas.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: sasas.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: sasas.exe	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: sasas.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: sasas.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: sasas.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: sasas.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: sasas.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: sasas.exe	String found in binary or memory: https://www.globalsign.com/repository/06

Spam, unwanted Advertisements and Ransom Demands:

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe shadowcopy delete
Source: C:\Users\user\Desktop\sasas.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe shadowcopy delete			Jump to behavior

System Summary:

Detected VMProtect packer

Show sources

Source: sasas.exe

Static PE information: .vmp0 and .vmp1 section names

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1004

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Source: classification engine

Classification label: mal96.rans.evad.winEXE@5/7@0/0

Source: C:\Users\user\Desktop\sasas.exe

Code function: 0_2_00DE2BF0 CreateToolhelp32Snapshot,Process32FirstW,WideCharToMultiByte,LocalAlloc,

0_2_00DE2BF0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D7F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

File read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sasas.exe	Virustotal: Detection: 68%
Source: sasas.exe	Metadefender: Detection: 51%
Source: sasas.exe	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\sasas.exe 'C:\Users\user\Desktop\sasas.exe'
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1004
Source: C:\Users\user\Desktop\sasas.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe shadowcopy delete	Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

File written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: sasas.exe

Static PE information: certificate valid

Source: sasas.exe

Static file information: File size 6026592 > 1048576

Source: sasas.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5b9a00

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: sasas.exe	Static PE information: section name: .didata
Source: sasas.exe	Static PE information: section name: .vmp0
Source: sasas.exe	Static PE information: section name: .vmp1

Source: C:\Users\user\Desktop\sasas.exe

Code function: 0_2_01278CEB push ebp; ret

0_2_01717146

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Users\user\Desktop\sasas.exe	Memory written: PID: 5388 base: 3F0005 value: E9 FB 99 A6 77	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Memory written: PID: 5388 base: 77E59A00 value: E9 0A 66 59 88	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Memory written: PID: 5388 base: 810007 value: E9 7B 4C 68 77	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Memory written: PID: 5388 base: 77E94C80 value: E9 8E B3 97 88	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect debuggers by setting the trap flag for special instructions

Show sources

Source: C:\Users\user\Desktop\sasas.exe

Special instruction interceptor: First address: 11f697b instructions rdtscp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: sasas.exe, 00000000.00000002.256519715.0000000000DF0000.00000020.00020000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\sasas.exe	RDTSC instruction interceptor: First address: 0000000001190344 second address: 000000000119034E instructions: 0x00000000 rdtsc 0x00000002 rcl dh, FFFFFFCBh 0x00000005 xor bl, cl 0x00000007 test cl, 00000049h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sasas.exe	RDTSC instruction interceptor: First address: 000000000121EBA5 second address: 000000000121EBAA instructions: 0x00000000 rdtsc 0x00000002 popfd 0x00000003 cbw 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sasas.exe	RDTSC instruction interceptor: First address: 0000000001060146 second address: 0000000001060150 instructions: 0x00000000 rdtsc 0x00000002 rcl dh, FFFFFFCBh 0x00000005 xor bl, cl 0x00000007 test cl, 00000049h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sasas.exe	RDTSC instruction interceptor: First address: 0000000000F3F6F7 second address: 0000000001085527 instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 cdq 0x00000004 cwd 0x00000006 bswap dx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jmp 00007F8620ADF42Dh 0x00000010 ret 0x00000011 push EFB58D80h 0x00000016 call 00007F8620BFDCF5h 0x0000001b push ecx 0x0000001c mov cl, al 0x0000001e mov ecx, 5BBF7AFFh 0x00000023 setnl cl 0x00000026 push ebp 0x00000027 cmovnl ecx, edx 0x0000002a movzx cx, bl 0x0000002e xchg ebp, ebp 0x00000030 push edx 0x00000031 cwd 0x00000033 push ebx 0x00000034 xchg cx, dx 0x00000037 cmovns ecx, ebp 0x0000003a pushfd 0x0000003b rcl ecx, 0Fh 0x0000003e bswap dx 0x00000041 push edi 0x00000042 push eax 0x00000043 push esi 0x00000044 setp al 0x00000047 btc edi, 68h 0x0000004b mov ecx, 009E0000h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\sasas.exe	RDTSC instruction interceptor: First address: 000000000106ABCD second address: 0000000001085527 instructions: 0x00000000 rdtsc 0x00000002 pop eax 0x00000003 pop edx 0x00000004 btc esi, eax 0x00000007 clc 0x00000008 or ebp, 1B5853DFh 0x0000000e pop ebp 0x0000000f shl esi, 5Ah 0x00000012 pop esi 0x00000013 bt di, ax 0x00000017 movzx bx, dl 0x0000001b pop ebx 0x0000001c pop edi 0x0000001d ror ch, FFFFFFBAh 0x00000020 clc 0x00000021 pop ecx 0x00000022 cmc 0x00000023 cmp esi, ebx 0x00000025 stc 0x00000026 popfd 0x00000027 jmp 00007F86208A7774h 0x0000002c ret 0x0000002d push 85BC6880h 0x00000032 call 00007F8620C35D8Bh 0x00000037 push ecx 0x00000038 mov cl, al 0x0000003a mov ecx, 5BBF7AFFh 0x0000003f setnl cl 0x00000042 push ebp 0x00000043 cmovnl ecx, edx 0x00000046 movzx cx, bl 0x0000004a xchg ebp, ebp 0x0000004c push edx 0x0000004d cwd 0x0000004f push ebx 0x00000050 xchg cx, dx 0x00000053 cmovns ecx, ebp 0x00000056 pushfd 0x00000057 rcl ecx, 0Fh 0x0000005a bswap dx 0x0000005d push edi 0x0000005e push eax 0x0000005f push esi 0x00000060 setp al 0x00000063 btc edi, 68h 0x00000067 mov ecx, 009E0000h 0x0000006c rdtsc

Source: C:\Users\user\Desktop\sasas.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe TID: 6380	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe TID: 6384	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe TID: 6384	Thread sleep time: -380000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe TID: 6380	Thread sleep count: 63 > 30	Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\sasas.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: sasas.exe	Binary or memory string: word,wordpad,EduLink2SIMS,bengine,benetns,beserver,pvlsvr,beremote,VxLockdownServer,postgres,fdhost,WSSADMIN,wsstracing,OWSTIMER,dfssvc.exe,dfsrs.exe,swc_service.exe,sophos,SAVAdminService,SavService.exe,Hyper-v,TeamViewer,Teamviwer,Vmware,hyper-v
Source: WMIC.exe, 00000003.00000002.244961038.00000182A24C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sasas.exe, 00000000.00000002.258357936.000000000569D000.00000004.00000010.sdmp	Binary or memory string: osqlmysql,veeam,oracle,ocssd,dbsnmp,synctime,agntsvc,isqlplussvc,xfssvccon,mydesktopservice,ocautoupds,encsvc,firefox,tbirdconfig,mydesktopqos,ocomm,dbeng50,sqbcoreservice,excel,infopath,msaccess,mspub,onenote,outlook,powerpnt,steam,thebat,thunderbird,visio,winword,wordpad,EduLink2SIMS,bengine,benetns,beserver,pvlsvr,beremote,VxLockdownServer,postgres,fdhost,WSSADMIN,wsstracing,OWSTIMER,dfssvc.exe,dfsrs.exe,swc_service.exe,sophos,SAVAdminService,SavService.exe,Hyper-v,TeamViewer,Teamviwer,Vmware,hyper-v
Source: sasas.exe, 00000000.00000002.258357936.000000000569D000.00000004.00000010.sdmp	Binary or memory string: mysql,veeam,oracle,ocssd,dbsnmp,synctime,agntsvc,isqlplussvc,xfssvccon,mydesktopservice,ocautoupds,encsvc,firefox,tbirdconfig,mydesktopqos,ocomm,dbeng50,sqbcoreservice,excel,infopath,msaccess,mspub,onenote,outlook,powerpnt,steam,thebat,thunderbird,visio,winword,wordpad,EduLink2SIMS,bengine,benetns,beserver,pvlsvr,beremote,VxLockdownServer,postgres,fdhost,WSSADMIN,wsstracing,OWSTIMER,dfssvc.exe,dfsrs.exe,swc_service.exe,sophos,SAVAdminService,SavService.exe,Hyper-v,TeamViewer,Teamviwer,Vmware,hyper-v
Source: WMIC.exe, 00000003.00000002.244961038.00000182A24C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000003.00000002.244961038.00000182A24C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sasas.exe, 00000000.00000002.256509647.0000000000DED000.00000040.00020000.sdmp	Binary or memory string: sql,mysql,veeam,oracle,ocssd,dbsnmp,synctime,agntsvc,isqlplussvc,xfssvccon,mydesktopservice,ocautoupds,encsvc,firefox,tbirdconfig,mydesktopqos,ocomm,dbeng50,sqbcoreservice,excel,infopath,msaccess,mspub,onenote,outlook,powerpnt,steam,thebat,thunderbird,visio,winword,wordpad,EduLink2SIMS,bengine,benetns,beserver,pvlsvr,beremote,VxLockdownServer,postgres,fdhost,WSSADMIN,wsstracing,OWSTIMER,dfssvc.exe,dfsrs.exe,swc_service.exe,sophos,SAVAdminService,SavService.exe,Hyper-v,TeamViewer,Teamviwer,Vmware,hyper-v
Source: sasas.exe, 00000000.00000002.256509647.0000000000DED000.00000040.00020000.sdmp	Binary or memory string: sql,mysql,veeam,oracle,ocssd,dbsnmp,synctime,agntsvc,isqlplussvc,xfssvccon,mydesktopservice,ocautoupds,encsvc,firefox,tbirdconfig,mydesktopqos,ocomm,dbeng50,sqbcoreservice,excel,infopath,msaccess,mspub,onenote,outlook,powerpnt,steam,thebat,thunderbird,visio,winword,wordpad,EduLink2SIMS,bengine,benetns,beserver,pvlsvr,beremote,VxLockdownServer,postgres,fdhost,WSSADMIN,wsstracing,OWSTIMER,dfssvc.exe,dfsrs.exe,swc_service.exe,sophos,SAVAdminService,SavService.exe,Hyper-v,TeamViewer,Teamviwer,Vmware,hyper-v4861%y
Source: WMIC.exe, 00000003.00000002.244961038.00000182A24C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\sasas.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\sasas.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sasas.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\sasas.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection1	Modify Registry1	Credential API Hooking1	Security Software Discovery441	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion15	LSASS Memory	Virtualization/Sandbox Evasion15	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Information Discovery224	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sasas.exe	69%	Virustotal		Browse
sasas.exe	51%	Metadefender		Browse
sasas.exe	83%	ReversingLabs	Win32.Ransomware.RagnarLocker
sasas.exe	100%	Avira	TR/Ransom.RagnarLocker.mquxw
sasas.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323226
Start date:	26.11.2020
Start time:	15:06:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sasas.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.rans.evad.winEXE@5/7@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 90%) Quality average: 66.7% Quality standard deviation: 30.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 104.43.193.48, 51.104.144.132, 23.210.248.85, 52.155.217.156, 20.54.26.129, 13.107.42.23, 13.107.5.88, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:07:18	API Interceptor	81x Sleep call for process: sasas.exe modified
15:07:19	API Interceptor	1x Sleep call for process: WMIC.exe modified
15:07:32	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Download File
Process:	C:\Users\user\Desktop\sasas.exe
File Type:	Windows desktop.ini, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\$RECYCLE.BIN\desktop.ini Download File
Process:	C:\Users\user\Desktop\sasas.exe
File Type:	Windows desktop.ini, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_sasas.exe_b09c735fd3b88a6024e37c5552ad4983429b8a7_ac1afa01_1a4d44f1\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10998
Entropy (8bit):	3.757609641411303
Encrypted:	false
SSDEEP:	96:dS0bTbspOPSmhK1Dg3frpXIQcQvc6QcEDMcw3DL+HbHg/8BRTf3o8Fa9iVf9Tx+T:UyRHBUZMXoj+l/u7s5S274ItkIlr
MD5:	534C81D2361CB3D49750D1EA0B9689E3
SHA1:	AC36C5C80682A9D292D4D9E6727883D450EEFD03
SHA-256:	17150CF8F041FBEDBD87058CB08F66039C7DB00810D8BC152CA98AD8F2C7DFC8
SHA-512:	789F6E2FEA41A9E1127789D927598E5B8DE807654C7E5547AB646300F07EE2F9AD032DC8C1FDBD1DDCF6AD9BA7235859C88045D4D14999300858A960D76091F7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.9.0.5.6.5.0.5.0.1.0.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.9.0.5.6.5.1.3.1.3.5.2.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.3.6.2.2.3.e.-.8.e.4.3.-.4.1.4.8.-.a.f.f.e.-.7.3.8.5.b.6.7.c.c.e.7.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.8.f.2.a.1.6.-.a.e.6.e.-.4.1.f.8.-.b.5.b.b.-.4.f.0.f.b.a.d.8.c.c.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.s.a.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.c.-.0.0.0.1.-.0.0.1.7.-.f.e.e.2.-.2.e.d.f.4.8.c.4.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.6.2.6.d.7.6.d.c.9.b.5.c.3.b.5.8.8.c.3.2.7.0.e.7.2.b.0.8.c.a.e.0.0.0.0.f.f.f.f.!.0.0.0.0.5.c.7.b.1.0.2.4.1.c.2.7.0.0.5.b.8.0.4.1.1.9.b.e.3.4.b.1.8.d.9.a.e.3.8.c.2.d.3.9.!.s.a.s.a.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D7F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Nov 26 23:07:30 2020, 0x1205a4 type
Category:	dropped
Size (bytes):	96112
Entropy (8bit):	2.147515649152545
Encrypted:	false
SSDEEP:	768:IbZqk2dEr5UZB6RDnSO0rpcWII1s0Hn1/o:IdqVdcSRtGMHnxo
MD5:	165DF6B8E73E46056C3CADD8CC59336D
SHA1:	6735C99170193473B40657290550BE8FC31A7B68
SHA-256:	85119638645B486CB5E43648D554A72C29C0064659FC2F881D4CA9B8B490DE53
SHA-512:	E6D0F3BF321DFBFD553CC76DBDFBC3355C975A13D68C8A7759229EDC2944B1C488916F54CDC3E1C28DC4AF3935E44D3F08E17574E6CBDCDD7E4CFC03966D8E2B
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......25._...................U...........B..............GenuineIntelW...........T............5._.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F74.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8296
Entropy (8bit):	3.6942186959084853
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiUD6i6YSqSU94gmfFESsCpr189bsTn3sfc+CLm:RrlsNi46i6Y/SU94gmfFES2sTn8fcji
MD5:	18042B4F61E695247A0BC967E65503BB
SHA1:	FB392B93076BB568E90905794FA72A91D6863B97
SHA-256:	7B847C9E288F15AD12B0154275C9FA668369EC6E93A10741A0DC600601A018BA
SHA-512:	9E0DDDE5E5A7613293493FBAF596A9E749EA1BBC6D9AA709E74CEA7F37DA2DF19EA6F7F86291054454C23B354C4897A13372B7BBC21ED91EED0D7AD93A6E0EFC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4011.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4542
Entropy (8bit):	4.425034893696035
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6JgtWI9VhWSC8BL8fm8M4JlHFl+q8ST6owvcI/d:uITfIywSN+JpJkvcI/d
MD5:	D83BFEB451C41012FC182B270CE172BA
SHA1:	DC3F0E35CBECF128784110E0400AAE1B4BC6E4D5
SHA-256:	78EC3E4419A8BB9EB8782D877AE0E2D6EFD46C20A7605A025A9963F1C180111D
SHA-512:	036CF65F36D2FDC24DB04CD3FED9D5140EFA029F3EFE54C5867AA32A877BB14A94619CA71EBDC6C58E37D9E9F9C67866EEBC05D62B4FA2C9AF638A11032809C2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="746418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

\Device\ConDrv Download File
Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.386015934528989
Encrypted:	false
SSDEEP:	3:8yzGc7k2VDl9l:nzGZ23D
MD5:	B20F1F152093587041B9C1028E2A40C3
SHA1:	FF54B6FC7C08B855298B1DF87C378514FA8A26AD
SHA-256:	DFAB6BFA911852F0125EA3028AA22E4144DE39A4E4B99B2DCF4E8F3BF439D280
SHA-512:	6978EAA7CE8C145EE082A9355CB55419C6C639327F16252AED8DB6FF43AA87365D16B3A7540B706F71B3F26F860946248E3957E08A818552F584B38D1BAD29E6
Malicious:	false
Reputation:	low
Preview:	ERROR:...Description = Provider failure...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.954873813010411
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sasas.exe
File size:	6026592
MD5:	14e0a802b64a6ce08f1ee408655257e4
SHA1:	5c7b10241c27005b804119be34b18d9ae38c2d39
SHA256:	afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68
SHA512:	a885622588a200097f5bd8e22ccf96d370ceb53883e4b680fcbd19a1d38a1ed81558f40fce7941e95da708508a842b75a58937e1d7d10c4e0f0d8ad50e82086c
SSDEEP:	98304:mRsFIgIWUvzk/KDB/C3Cf5nb+oSkcjXzz7dO+frPASXud8oisVQjyKvCzPIpeAZ6:mRsFvIi/KDB/C3CBnb3c7dVfrodd3vVh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................R........I...........@..........................p........[...@...........................E.O..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x898ceb
Entrypoint Section:	.vmp1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5F8EFF91 [Tue Oct 20 15:17:37 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	28d69c6f886ae4c27716c926224c7500

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/9/2020 2:15:17 AM 6/10/2021 2:15:17 AM
Subject Chain	E=mitin@buren.ru, CN=KAMI-RESURS LLC, O=KAMI-RESURS LLC, STREET="ul. Semonovskaya B, 40, str. 13, etazh 3, pom. 301a", L=Moscow, S=Moscow, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Moscow, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1117746036539, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	3D61582FF1B6EC9B8013B4F425A54C8F
Thumbprint SHA-1:	701C1EE5D56DFBE29953C3B28141CBA483B9CC41
Thumbprint SHA-256:	7E1DD656F5444C88D61D56286B7C4DCE3C2071D921FBA4800E95C672BCF0C1F8
Serial:	6865294F67F0C3BB2E191F75

Entrypoint Preview

Instruction
push 5D49D206h
call 00007F8620A2AB37h
not eax
test di, si
jmp 00007F8620F5DE3Fh
not cl
cmp ebp, eax
not al
or cl, al
jmp 00007F8620AF9CE9h
dec eax
clc
bswap eax
jmp 00007F86209C77BFh
mov ecx, dword ptr [ebp+00h]
mov ax, word ptr [ecx]
add ebp, 00000002h
shr ch, 00000002h
mov word ptr [ebp+00h], ax
neg ch
ror cl, FFFFFFF0h
sub edi, 00000004h
mov ecx, dword ptr [edi]
cmc
jmp 00007F8620AA9823h
neg edx
jmp 00007F8620F6BE53h
movzx ax, byte ptr [ebp+00h]
mov cl, byte ptr [ebp+02h]
lea ebp, dword ptr [ebp-00000002h]
cmc
cmp cx, 43A1h
shl al, cl
bswap ecx
movsx cx, cl
mov ecx, ebx
mov word ptr [ebp+04h], ax
setl ch
movzx ecx, bp
pushfd
mov ch, dl
shr ecx, cl
shld ecx, esp, 00000082h
pop dword ptr [ebp+00h]
btc cx, sp
add cx, 12D0h
sub edi, 00000004h
mov ecx, dword ptr [edi]
xor ecx, ebx
test ah, al
sub ecx, 688661C6h
xor ecx, 050107A6h
ror ecx, 02h
sub ecx, 2B5C2A4Ah
xor ebx, ecx
add esi, ecx
jmp 00007F8620A97AA8h
jmp 00007F86209FD96Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x45dcac	0xc4f	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3eb338	0xf0	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x956000	0x1d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5bd800	0x1d60	.vmp1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x955000	0x604	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x954740	0x40	.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52c000	0x88	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x825f	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x1714	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xcf8	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xd000	0x2e70	0x3000	False	0.502685546875	data	4.91188765333	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.vmp0	0x10000	0x38a02b	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.vmp1	0x39b000	0x5b9810	0x5b9a00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x955000	0x604	0x800	False	0.4111328125	data	3.49390067516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x956000	0x1d5	0x200	False	0.529296875	data	4.71767883295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x956058	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTickCount
USER32.dll	wsprintfW
ADVAPI32.dll	CryptGenRandom
SHELL32.dll	SHGetSpecialFolderPathW
SHLWAPI.dll	StrStrIA
CRYPT32.dll	CryptDecodeObjectEx
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetProcessWindowStation
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 15:07:05.457396984 CET	60100	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:05.484488964 CET	53	60100	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:06.514277935 CET	53195	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:06.541486979 CET	53	53195	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:07.237894058 CET	50141	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:07.264866114 CET	53	50141	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:08.917826891 CET	53023	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:08.944993973 CET	53	53023	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:09.912791014 CET	49563	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:09.940043926 CET	53	49563	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:10.695554018 CET	51352	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:10.722579002 CET	53	51352	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:11.381123066 CET	59349	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:11.426606894 CET	53	59349	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:12.784346104 CET	57084	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:12.830085039 CET	53	57084	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:14.119735956 CET	58823	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:14.146728992 CET	53	58823	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:18.045667887 CET	57568	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:18.072876930 CET	53	57568	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:30.353518009 CET	50540	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:30.380543947 CET	53	50540	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:31.103127956 CET	54366	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:31.130044937 CET	53	54366	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:31.659073114 CET	53034	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:31.704303980 CET	53	53034	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:33.355969906 CET	57762	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:33.383232117 CET	53	57762	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:33.856858969 CET	55435	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:33.884130955 CET	53	55435	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:36.656949997 CET	50713	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:36.705231905 CET	53	50713	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:54.496201992 CET	56132	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:54.541548014 CET	53	56132	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:54.972058058 CET	58987	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:55.017463923 CET	53	58987	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:55.466775894 CET	56579	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:55.512239933 CET	53	56579	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:55.623167038 CET	60633	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:55.650033951 CET	53	60633	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:55.814353943 CET	61292	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:55.859702110 CET	53	61292	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:56.186002970 CET	63619	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:56.231806993 CET	53	63619	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:56.614221096 CET	64938	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:56.641377926 CET	53	64938	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:57.167743921 CET	61946	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:57.213093042 CET	53	61946	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:57.767147064 CET	64910	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:57.812489986 CET	53	64910	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:58.919801950 CET	52123	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:58.965466022 CET	53	52123	8.8.8.8	192.168.2.3
Nov 26, 2020 15:07:59.317215919 CET	56130	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:07:59.362976074 CET	53	56130	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:06.696568966 CET	58722	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:06.699286938 CET	56596	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:06.699316978 CET	64101	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:06.723807096 CET	53	58722	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:06.726361990 CET	53	64101	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:06.726406097 CET	53	56596	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:08.141215086 CET	56338	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:08.168431044 CET	53	56338	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:09.800626040 CET	59420	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:09.845676899 CET	53	59420	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:13.021620035 CET	58784	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:13.068710089 CET	53	58784	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:43.179054022 CET	63978	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:43.206501961 CET	53	63978	8.8.8.8	192.168.2.3
Nov 26, 2020 15:08:44.835546970 CET	62938	53	192.168.2.3	8.8.8.8
Nov 26, 2020 15:08:44.896513939 CET	53	62938	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: sasas.exe PID: 5388 Parent PID: 5864

General

Start time:	15:07:12
Start date:	26/11/2020
Path:	C:\Users\user\Desktop\sasas.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sasas.exe'
Imagebase:	0xde0000
File size:	6026592 bytes
MD5 hash:	14E0A802B64A6CE08F1EE408655257E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WMIC.exe PID: 6388 Parent PID: 5388

General

Start time:	15:07:19
Start date:	26/11/2020
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic.exe shadowcopy delete
Imagebase:	0x7ff6fcec0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6400 Parent PID: 6388

General

Start time:	15:07:19
Start date:	26/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6656 Parent PID: 5388

General

Start time:	15:07:29
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1004
Imagebase:	0x10000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: sasas.exe PID: 5388 Parent PID: 5864 sasas.exeCOMMON

Executed Functions

Function 00DE2BF0, Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00DE2BF0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				char _v140;
				char _v660;
				char _v696;
				char _v2744;
				char* _t16;
				intOrPtr _t20;
				void* _t23;
				void* _t25;
				void* _t28;
				void* _t31;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t38;
				void* _t40;
				void* _t42;

				_t38 = __edx;
				_t37 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = 0x2c;
				_push( *((intOrPtr*)(_a4 + 8)));
				_t16 =  &_v2744;
				_push(_t16);
				_push(_t16);
				E01114546();
				_t20 = E00DE40C0( &_v2744,  &_v8);
				_v12 = _t20;
				if(_t20 != 0) {
					_push(0);
					_push(0xf); // executed
					_t23 = E00DE91A4(__ebx, __edi, __esi); // executed
					_t36 = _t23;
					_v696 = 0x22c;
					_push( &_v696);
					_push(_t36); // executed
					_t25 = E00DE91AA(); // executed
					if(_t25 == 0) {
						_push(_t36);
						return E00E775B6(_t25);
					} else {
						_t42 = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push( &_v660);
						_push(0x200);
						_push(0);
						_push(_t38); // executed
						_t28 = E01128ACB( &_v660, _t38); // executed
						_t40 = _t28;
						_t51 = _t40;
						if(_t40 != 0) {
							_push(_t40);
							_push(0x40);
							_push(_t36); // executed
							_t31 = E00EE256E(_t28, _t36, _t40, _t51); // executed
							_t42 = _t31;
							if(_t42 != 0) {
								_push(0);
								_push(0);
								_push(_t40);
								_push(_t42);
								_push(0xffffffff);
								_push( &_v660);
								_push(0x200);
								_push(0);
								_push(_t42);
								_t33 = E0115141D( &_v660, _t37);
								_t53 = _t40 - _t33;
								if(_t40 != _t33) {
									_push(_t42);
									_push(_t33);
									_t42 = E00DF27D2(_t33, _t37, _t53);
								}
							}
						}
						_push(_t42);
						_push( &_v140);
						return E00E59A7E( &_v140);
					}
				}
				_push( *_a4);
				return E01077242(_a4, __esi);
			}

0x00de2bf0
0x00de2bf0
0x00de2bf9
0x00de2bfa
0x00de2bfb
0x00de2c01
0x00de2c08
0x00de2c0b
0x00de2c11
0x00de2c12
0x00de2c13
0x00de2c23
0x00de2c2b
0x00de2c30
0x00de2c36
0x00de2c38
0x00de2c3a
0x00de2c3f
0x00de2c41
0x00de2c51
0x00de2c52
0x00de2c53
0x00de2c5a
0x00de2d19
0x00000000
0x00de2c60
0x00de2c60
0x00de2c68
0x00de2c69
0x00de2c6a
0x00de2c6b
0x00de2c6c
0x00de2c6e
0x00de2c6f
0x00de2c74
0x00de2c75
0x00de2c76
0x00de2c7b
0x00de2c7d
0x00de2c7f
0x00de2c81
0x00de2c82
0x00de2c84
0x00de2c85
0x00de2c8a
0x00de2c8e
0x00de2c90
0x00de2c92
0x00de2c94
0x00de2c95
0x00de2c96
0x00de2c9e
0x00de2c9f
0x00de2ca4
0x00de2ca6
0x00de2ca7
0x00de2cac
0x00de2cae
0x00de2cb0
0x00de2cb1
0x00de2cb7
0x00de2cb7
0x00de2cae
0x00de2c8e
0x00de2cb9
0x00de2cc0
0x00000000
0x00de2cc1
0x00de2c5a
0x00de2d3e
0x00de2d45

Memory Dump Source

Source File: 00000000.00000002.256492308.0000000000DE1000.00000020.00020000.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.256486287.0000000000DE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.256503345.0000000000DEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.256509647.0000000000DED000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.256519715.0000000000DF0000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.256556577.0000000000E15000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.256564399.0000000000E1B000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.256999593.000000000117B000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.257711018.0000000001735000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1ad1de34b71b47c4de607ff77c70b9e723a076fa2fc8f58fc7b306b278b904
Instruction ID: 4fe24f4bd61c96c236f38367a31721fb8da5a08b0b9f6924f6f0bd84ab2dfc95
Opcode Fuzzy Hash: 7d1ad1de34b71b47c4de607ff77c70b9e723a076fa2fc8f58fc7b306b278b904
Instruction Fuzzy Hash: 0D21D475501329BADB30B7628C89FEF7AACEF01754F140150BA08E7082DB74DE048BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2D60, Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00DE2D60(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v32;
				char _v52;
				intOrPtr _v68;
				char _v216;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t31;

				_push(__ebx);
				_t24 = _v68;
				_push(__esi);
				_push(__edi);
				_push(0xf003f);
				_push(0);
				_push(0);
				_t29 =  *((intOrPtr*)(_a4 + 0xc));
				_t15 = E01047286(_t14, __edx, __esi, __eflags); // executed
				_t31 = _t15;
				_v8 = _t31;
				if(_t31 == 0) {
					_push( *((intOrPtr*)(_a4 + 4)));
					return E01057F59(_a4, _t29);
				} else {
					_v32 = 0;
					_push( &_v52);
					_v24 = 0;
					_push( &_v24);
					_v52 = 0;
					_push( &_v32);
					_push(0x24);
					_push( &_v216);
					_push(3);
					_push(0x3b);
					_push(_t31);
					return E00E5CF91( &_v216, _t24);
				}
			}

0x00de2d69
0x00de2d6a
0x00de2d6d
0x00de2d6e
0x00de2d73
0x00de2d78
0x00de2d7a
0x00de2d7c
0x00de2d80
0x00de2d85
0x00de2d87
0x00de2d8c
0x00de314c
0x00de3154
0x00de2d92
0x00de2d95
0x00de2d9c
0x00de2da0
0x00de2da7
0x00de2dab
0x00de2db2
0x00de2db3
0x00de2dbb
0x00de2dbc
0x00de2dbe
0x00de2dc0
0x00de2dc6
0x00de2dc6

Memory Dump Source

Source File: 00000000.00000002.256492308.0000000000DE1000.00000020.00020000.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.256486287.0000000000DE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.256503345.0000000000DEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.256509647.0000000000DED000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.256519715.0000000000DF0000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.256556577.0000000000E15000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.256564399.0000000000E1B000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.256999593.000000000117B000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.257711018.0000000001735000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e835cf9a7b53f76407886c0d6acb7426200b31b7f4adf1f4e5a1cce5a78b360d
Instruction ID: b3779436987bb113e9eeed160734fe94ca36b9502b11101ebce40bc47341c899
Opcode Fuzzy Hash: e835cf9a7b53f76407886c0d6acb7426200b31b7f4adf1f4e5a1cce5a78b360d
Instruction Fuzzy Hash: E0014FB5901219BBDB21DB90CD45FEFB7BCBB04B40F544155BA04B7281D374AA098BE5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sasas.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: sasas.exe PID: 5388 Parent PID: 5864

General

Chronological Activities

Analysis Process: WMIC.exe PID: 6388 Parent PID: 5388

General

Chronological Activities

Function 00DE2BF0, Relevance: .1, Instructions: 85
COMMON

Function 00DE2D60, Relevance: .0, Instructions: 40
COMMON