Play interactive tour

Edit tour

Analysis Report Shipping Document INVPLBL_pdf.exe

Overview

General Information

Sample Name:	Shipping Document INVPLBL_pdf.exe
Analysis ID:	323820
MD5:	40e23535eaeb38100848d2544f29425d
SHA1:	115391590b015b30e742095c3355b63f4ae29335
SHA256:	f76e242ad82adab98e38fbdcc1469a7066031c5345d4904035d545713355629d
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Shipping Document INVPLBL_pdf.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' MD5: 40E23535EAEB38100848D2544F29425D)

Shipping Document INVPLBL_pdf.exe (PID: 6704 cmdline: 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' MD5: 40E23535EAEB38100848D2544F29425D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping Document INVPLBL_pdf.exe	Virustotal: Detection: 31%			Perma Link
Source: Shipping Document INVPLBL_pdf.exe	ReversingLabs: Detection: 18%

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Shipping Document INVPLBL_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Shipping Document INVPLBL_pdf.exe

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324046 NtSetInformationThread,NtWriteVirtualMemory,CreateFileA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328117 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232062E EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232861B NtSetInformationThread,NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326558 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324887 NtSetInformationThread,NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323228 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023232DC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232339C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324018 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232361C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328664 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320709 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323764 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320758 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023207AC NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023287AC NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023287F8 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023244F9 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023234CC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323578 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323A1C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328A00 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323A80 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B0C NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328B78 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328BA6 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326B82 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320830 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323818 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320863 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232886F NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328840 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023208D3 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023288C8 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328910 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023289B0 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322F3D NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326FDD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328C48 NtResumeThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322CC0 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322D64 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564046 NtSetInformationThread,CreateFileA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00568117 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005644F9 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566558 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056861B NtSetInformationThread,EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056062E EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564018 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00561343 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00561380 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560758 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560709 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005607AC NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560863 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560830 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005608D3 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564887 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00563A80 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B0C NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562CC0 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562D64 NtSetInformationThread,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562F3D NtSetInformationThread,

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00405F92
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040604C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C4F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040706A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040646C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040707D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407006
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C09
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040600D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407022
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406432
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CDE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004060FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004068FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CFE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C8F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406497
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040609A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CA0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004068A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004064AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004070B8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406141
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406548
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406555
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D6F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040617C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D0A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406520
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D22
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004069C6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406DD0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004061E0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004065E1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004069F3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004065FB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040698F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040619F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004061BC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406261
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E62
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A6C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406673
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406201
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E10
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A18
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406627
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A3E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406EE1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004066E3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406AF5
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E82
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004062A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406AA9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004066B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406B5C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040676F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F76
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F7F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406701
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F0B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406317
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F26
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406B38
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004063CC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406BD7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004067D9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004067E6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406391
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004063A8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406BB6

Source: Shipping Document INVPLBL_pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450736065.00000000022F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596524457.0000000002480000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000000.448665148.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@2/0

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5734C66BAC6D41BF.TMP

Jump to behavior

Source: Shipping Document INVPLBL_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Shipping Document INVPLBL_pdf.exe	Virustotal: Detection: 31%
Source: Shipping Document INVPLBL_pdf.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B456 push A9E19630h; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408400 push cs; ret
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040EC06 push es; iretw
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040C40C push ebp; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040DC34 push eax; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040A43A push ecx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B8C5 push ebx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004084A5 push 51D0883Bh; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040996C push dword ptr [5D03CCEEh]; ret
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409D77 push eax; retf
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409927 push dword ptr [5D03CCEEh]; ret
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004089C6 push ecx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040F9CE push eax; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B1E8 push ecx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040F9F3 push eax; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040A9B0 push esp; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00402647 push es; retf
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408E7E push esi; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408A1C push 6787C079h; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408A1F push 6787C079h; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040E224 push ecx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409E2F push es; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408E9A push eax; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409F44 push esi; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B344 push ds; retf
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409F52 push eax; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407B00 push ds; retf
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409FD6 push ds; ret
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040AFEB push ecx; iretd
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040EB89 push es; iretw
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040E38E push A95D7E27h; iretd

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000002327127 second address: 0000000002327127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA083855Eh 0x0000001f popad 0x00000020 call 00007F0EA0837FE4h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567127 second address: 0000000000567127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA0C7539Eh 0x0000001f popad 0x00000020 call 00007F0EA0C74E24h 0x00000025 lfence 0x00000028 rdtsc

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02320A6B rdtsc

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: NtSetInformationThread,EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02324046 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02320A6B rdtsc

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02324E5C LdrInitializeThunk,

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232217F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326722 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02327A40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B0C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323BA8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232289C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023279F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326D75 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056217F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566722 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056289C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005679F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00567A40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B0C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00563BA8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566D75 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'

Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02326A99 cpuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Service Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping Document INVPLBL_pdf.exe	31%	Virustotal		Browse
Shipping Document INVPLBL_pdf.exe	19%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gorkaloyola.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gorkaloyola.com	192.185.170.106	true	false	0%, Virustotal, Browse	unknown
g.msn.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin	Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323820
Start date:	27.11.2020
Start time:	15:47:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Shipping Document INVPLBL_pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/0@2/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.5%) Quality average: 36.2% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 51.104.139.180, 40.67.251.132, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.194, 92.122.213.247, 23.210.248.85, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.089976510884923
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping Document INVPLBL_pdf.exe
File size:	86016
MD5:	40e23535eaeb38100848d2544f29425d
SHA1:	115391590b015b30e742095c3355b63f4ae29335
SHA256:	f76e242ad82adab98e38fbdcc1469a7066031c5345d4904035d545713355629d
SHA512:	981249b64fb0d86ae22f45a669d209605cb4d0dd17bbd440685f9dc161bfc7754e2c47f4620cf3b91d29ef8ffcc30c7f8548e0b755b4048ab89f63c6882d625d
SSDEEP:	768:JzJPpJ4xUMiQj1tKl6IfWRGt55Pi5G2wVHRyEkP:Jzl421K1tKlDQGtau
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...C.TN.....................@............... ....@................

File Icon


Icon Hash:	e9e1c5c9d5d9d1aa

Static PE Info

General
Entrypoint:	0x40120c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E54D443 [Wed Aug 24 10:36:51 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d1e6b215baa9cbbcb95c5c9eee80175d

Entrypoint Preview

Instruction
push 0040297Ch
call 00007F0EA0728FB3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+3A5E7E9Ch], bh
and eax, CAAC4075h
dec ebp
cmpsd
mov esi, 002543FEh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 50h
jc 00007F0EA0729031h
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add ah, al
sub dword ptr [edx], ecx
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub al, 30h
mov al, byte ptr [A282ECD9h]
out dx, eax
dec ebp
xchg eax, ecx
mov bl, 95h
mov ah, 3Ch
sbb ah, byte ptr [eax-68h]
loop 00007F0EA0728F69h
retf 0F39h
sti
mov word ptr [ebp+ebx*4-56h], es
mov al, byte ptr [CDA1847Fh]
fstp tbyte ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x111c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x119e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10580	0x11000	False	0.425680721507	data	5.67635669522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x1150	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x119e	0x2000	False	0.219116210938	data	2.9662217016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x148f6	0x8a8	data
RT_ICON	0x1438e	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1436c	0x22	data
RT_VERSION	0x14120	0x24c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, _CIatan, __vbaStrMove, _allmul, _CItan, __vbaFPInt, _CIexp

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Skaget
FileVersion	2.00
CompanyName	Madrigal Corp
Comments	Madrigal Corp
ProductName	Project1
ProductVersion	2.00
OriginalFilename	Skaget.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 15:48:21.044915915 CET	58384	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:21.082891941 CET	53	58384	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:22.241636038 CET	60261	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:22.268754005 CET	53	60261	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:23.654417038 CET	56061	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:23.681477070 CET	53	56061	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:25.483433008 CET	58336	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:25.510389090 CET	53	58336	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:26.202280998 CET	53781	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:26.229373932 CET	53	53781	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:27.250709057 CET	54064	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:27.277700901 CET	53	54064	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:28.031394005 CET	52811	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:28.058437109 CET	53	52811	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:28.713527918 CET	55299	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:28.740658045 CET	53	55299	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:30.389445066 CET	63745	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:30.425527096 CET	53	63745	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:31.447170019 CET	50055	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:31.482527971 CET	53	50055	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:32.112328053 CET	61374	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:32.139417887 CET	53	61374	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:32.868566990 CET	50339	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:32.895838022 CET	53	50339	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:34.463712931 CET	63307	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:34.491255999 CET	53	63307	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:35.195472002 CET	49694	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:35.222491980 CET	53	49694	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:45.788101912 CET	54982	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:45.815256119 CET	53	54982	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:06.379210949 CET	50010	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:06.416075945 CET	53	50010	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:13.421981096 CET	63718	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:13.457546949 CET	53	63718	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:14.304552078 CET	62116	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:14.342350006 CET	53	62116	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:14.780752897 CET	63816	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:14.818800926 CET	53	63816	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.112642050 CET	55014	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:15.148348093 CET	53	55014	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.565212965 CET	62208	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:15.592267990 CET	53	62208	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.980247974 CET	57574	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:16.015897036 CET	53	57574	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:16.489033937 CET	51818	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:16.530077934 CET	53	51818	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:17.026971102 CET	56628	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:17.062434912 CET	53	56628	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:17.666729927 CET	60778	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:17.693818092 CET	53	60778	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:18.044378996 CET	53799	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:18.079725027 CET	53	53799	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:18.969459057 CET	54683	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:19.005215883 CET	53	54683	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:21.326265097 CET	59329	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:21.361706018 CET	53	59329	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:26.910702944 CET	64021	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:26.946363926 CET	53	64021	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:44.968725920 CET	56129	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:45.004426956 CET	53	56129	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:50.758688927 CET	58177	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:50.794290066 CET	53	58177	8.8.8.8	192.168.2.6
Nov 27, 2020 15:50:09.024199009 CET	50700	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:50:09.051368952 CET	53	50700	8.8.8.8	192.168.2.6
Nov 27, 2020 15:50:25.283133030 CET	54069	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:50:25.445837975 CET	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 15:49:21.326265097 CET	192.168.2.6	8.8.8.8	0xea1	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 27, 2020 15:50:25.283133030 CET	192.168.2.6	8.8.8.8	0x47c2	Standard query (0)	gorkaloyola.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 15:49:21.361706018 CET	8.8.8.8	192.168.2.6	0xea1	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 15:50:25.445837975 CET	8.8.8.8	192.168.2.6	0x47c2	No error (0)	gorkaloyola.com		192.185.170.106	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 7072 Parent PID: 5852

General

Start time:	15:48:21
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	40E23535EAEB38100848D2544F29425D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 6704 Parent PID: 7072

General

Start time:	15:49:16
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	40E23535EAEB38100848D2544F29425D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shipping Document INVPLBL_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 7072 Parent PID: 5852

General

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 6704 Parent PID: 7072

General

Disassembly

Code Analysis