Play interactive tour

Edit tour

Analysis Report Scan_order.scr

Overview

General Information

Sample Name:	Scan_order.scr (renamed file extension from scr to exe)
Analysis ID:	337854
MD5:	04be7ed51e345a56403df4657b376990
SHA1:	44f5fdf6902d114524afc110cd927f95f72903fa
SHA256:	ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
Tags:	GuLoaderRemcosRATscr
Most interesting Screenshot:
Errors Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected GuLoader

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Scan_order.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: 04BE7ED51E345A56403DF4657B376990)

ieinstal.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

wscript.exe (PID: 5776 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: ieinstal.exe PID: 6128	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Scan_order.exe PID: 5260	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ieinstal.exe, ProcessId: 6128, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: Scan_order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6

Source: global traffic

TCP traffic: 192.168.2.3:49755 -> 185.157.161.61:52360

Source: Joe Sandbox View

IP Address: 172.217.23.1 172.217.23.1

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com

Source: ieinstal.exe

String found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown

HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Scan_order.exe

Source: C:\Users\user\Desktop\Scan_order.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5B11 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C29E9 NtWriteVirtualMemory,Sleep,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F53 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C0549 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6205 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2AB9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5AA6 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C231C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C236C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2369 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2390 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C23C9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C23F9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6001 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6031 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C602D NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1021 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C604A NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6065 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6091 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C60BD NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C60D9 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6135 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6129 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6177 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6160 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6198 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61BD NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C51CF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61C5 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61F1 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C0614 NtSetInformationThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C063D NtSetInformationThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E2D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C26A7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C26D4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C272D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C274B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F68 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F93 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FB9 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FA9 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FAB NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FC1 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FC3 NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FED NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FEF NtResumeThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C241D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2461 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2495 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C24BE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2CC8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2514 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550F NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C253D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2539 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C05B5 NtSetInformationThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25A9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25AB NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C05D9 NtSetInformationThread,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25F7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C35E9 NtSetInformationThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5B11 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5AA6 NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_004027ED

Source: Scan_order.exe, 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
Source: Scan_order.exe	Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe

Source: Scan_order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@2/2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE

Source: C:\Users\user\Desktop\Scan_order.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFCC5FEF3BD8D5BCE.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'

Source: Scan_order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scan_order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scan_order.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6128, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Scan_order.exe PID: 5260, type: MEMORY

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040481C push ebx; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408422 push ecx; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040403A push eax; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004054C9 push esp; iretd
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408C9A push ecx; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040414A push ECE29E81h; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040416C push EDC16208h; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408504 push eax; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406D10 push ebx; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406A43 push esp; iretd
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406647 push edx; retn 0006h
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00402AF4 push cs; iretd
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004086FD push 6DCDEB08h; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004082A2 push ecx; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00405AB6 push A8FAEB08h; iretd
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040830C push ecx; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408B2A push ecx; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00405FCA push eax; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040CFAE pushfd ; iretd
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4AA1 push 89F538D8h; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4AE9 push 89F538D8h; ret
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C3BF8 push cs; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C13F7 push 38C2EBD8h; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C46DF push 85C2EBD8h; retf
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C57B9 push eax; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D3737 push DDE8C938h; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D57B9 push eax; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4AA1 push 89F538D8h; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4AE9 push 89F538D8h; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D46DF push 85C2EBD8h; retf

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C1E2D NtWriteVirtualMemory,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Scan_order.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Scan_order.exe, ieinstal.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C29E9 rdtsc

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636	Thread sleep count: 252 > 30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636	Thread sleep time: -2520000s >= -30000s

Source: Scan_order.exe, ieinstal.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C0549 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Scan_order.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C29E9 rdtsc

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C36F0 LdrInitializeThunk,

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004027ED mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2B29 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E2D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E7D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C16EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F5A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F51 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1C19 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5536 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5524 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4558 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C557D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C55A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C55CD mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D2B15 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F60 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F5A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F51 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5524 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5536 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D550F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D550B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D557D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4558 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D55A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5581 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D55CD mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 32D0000

Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'

Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager[\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Managerros\logs.dat\|
Source: logs.dat.25.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager0\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Managerr\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager StartedL
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager Starteder8
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Managering\remcos\logs.dT
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Security Software Discovery731	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion23	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery32	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wealthyblessed.myddns.rocks	185.157.161.61	true	true	unknown
googlehosted.l.googleusercontent.com	172.217.23.1	true	false	high
doc-0c-8c-docs.googleusercontent.com	unknown	unknown	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.23.1	unknown	United States		15169	GOOGLEUS	false
185.157.161.61	unknown	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337854
Start date:	11.01.2021
Start time:	08:08:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Scan_order.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.5% (good quality ratio 1.4%) Quality average: 45.8% Quality standard deviation: 11.2%
HCA Information:	Successful, ratio: 78% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.64.90.137, 104.79.90.110, 20.190.129.2, 40.126.1.145, 20.190.129.160, 20.190.129.133, 40.126.1.128, 20.190.129.130, 40.126.1.130, 40.126.1.142, 51.104.139.180, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.11.168.160, 52.155.217.156, 172.217.23.14, 20.190.129.17, 20.190.129.24, 40.126.1.166, 20.190.129.19, 51.11.168.232, 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/337854/sample/Scan_order.exe
Errors:	Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Simulations

Behavior and APIs

Time	Type	Description
08:12:00	API Interceptor	408x Sleep call for process: ieinstal.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.217.23.1	Images for New materials H12Etxknwemhib9.exe	Get hash	malicious	Browse
	undefined.html	Get hash	malicious	Browse
	http://www.dropbox.com/l/AAA5d-90vlipt6OAJjh2DZ1FLO-gN1n6Y0k	Get hash	malicious	Browse
	Order List.exe	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vQ2WKVd3JleNdWlUHfoPHiI9meS5tPYCvu_arjbyKKIg7TwWXSlOD1XSnaOARjo0G7h2c08To_2PmFI/pub	Get hash	malicious	Browse
	https://www.evernote.com/shard/s392/sh/fa9d8bce-6c75-8e4b-f292-c8e5922b6f12/2c2e75787ef91022dc2eb256a739682c	Get hash	malicious	Browse
	http://freeaccountnow.com	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vRFLfuWRihaQHjGEPs8-Dm7Y3VxEFRpiUJuJmD9Vm6y3xVSSG9Vc3XxRnbyHQzIoWQ_5REbdDbkOq0s/pub	Get hash	malicious	Browse
	Request For quotation-00900.exe	Get hash	malicious	Browse
	http://www.146146.cynemas.site./RGFybmVsbC5NYXRoZXdAY29nZWNvcGVlcjEuY29t#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvZWVyZTM0Mi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vSXSFqM3FyfkgqlaUuBs15kxzZ2ytYMtEH-lt-VAyaJGjbE3AvRzWL0WZQ7F1gIxKGQpEkm2Ri_snvl/pub	Get hash	malicious	Browse
	PR-0012575 (P 999).exe	Get hash	malicious	Browse
	https://tuak.cmail19.com/t/t-i-xykuka-l-r/	Get hash	malicious	Browse
	http://www.154154.bd.ntipak.com/aXJlbmVfY2hhbkBzdXRkLmVkdS5zZw==#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvbW1uYi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	http://www.154154.bd.ntipak.com/aXJlbmVfY2hhbkBzdXRkLmVkdS5zZw==#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvbW1uYi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vSddy8cuFSrePEDADFWqOFMq31iEt3VTknn8s0o66ouwgLfYqTCG7MSJvch7KcyR03mvmYMJg1Kh7lk/pub	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vQl8xkPTC5qcRYddleeD1wWjcL_--hdx0xmAEkwmmMnX6FXnPPI-eTnY7H4kljKVOeNuw_n16-YWE8v/pub	Get hash	malicious	Browse
	https://u2109837.ct.sendgrid.net/ls/click?upn=ZZ6GL0ia6ZQqkHdNqmcfnzjKMlvomZCQgE3kAyJdsXh7HvgQ2sCYDvk7NVAOuyTHb4xXVycnbXvYmGLTwLvXqlr-2FBH7O-2F0sVebcrSi3wRAMnqysyGCkq3KDTz4rGE56KJbrbg5mYb0pZbdZr2hfCwkjkHfsLEQHJq26n9MbwBgSPBCfBmTAw89TNFmIXOWNgEnCv_TmoPLIbax9Jh83rXf3CKCVf12BRNQLs5vTp0XFzzHhSTjJ689hADNCj94vLJ0pVWCcnqGZbEr5n33c4fDosWEocENGB3Oz4505qLzziVwjY-2FU2OHI-2BUytdgZg08iOUQHYVA2mg-2F765B7tOcBDzWCeXXJvpMpTRZrtem0FeuQJ9Lt-2BKa-2BPLFmOTTbRy6Mp3SEhYQHWiVe4JER4ZKmX41wsxK3Nbbdn0r-2FMyMZS2hyINI-3D	Get hash	malicious	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQ	Get hash	malicious	Browse
	https://u8044497.ct.sendgrid.net/ls/click?upn=2kG68ZigzTjarF-2BMq-2BkFKRCI85rLMeWLq4nFd21f8aWMar1nyH1bpDl6QTriB-2BCg9ZRVuS5KNgyqJvrwEERxoCN-2FuJNCLk-2FKWpotJvzpXzhK5ZrQRQIuKE2scLJ6pxOJGqxvH-2FdFgC9ylH2T9F-2F-2F87QanD-2B78vn33Psi-2FpSvawsFv5nBPk3yW8zOfIG-2F8LMbQKnY_E0HJ-2FOm5MWj9o-2F074sR7ar3EENZ9HXqrwFihx-2BlxgKrKtNrT8HHD9UvVOlQfmJqHouKdBiD0cPuRxKhdbr-2BdBDCJw-2FpPJ6Rhg8Rcuykg2re83cPJOlx1ck9OfAJuT20-2Bg-2FHKW3ZtFIgFXmtA3eRHIhUPakM-2F1wd24fcVrApKwPA4Zq7KEN7k9VTA7qQX29revWsMXFb-2FufLF7Xz8-2FlzYJA-3D-3D	Get hash	malicious	Browse
185.157.161.61	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse
185.157.161.61	New PO.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyblessed.myddns.rocks	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	185.157.161.61
wealthyblessed.myddns.rocks	New PO.doc	Get hash	malicious	Browse	185.157.161.61
googlehosted.l.googleusercontent.com	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	142.250.180.97
	New PO.doc	Get hash	malicious	Browse	142.250.180.97
	http://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exe	Get hash	malicious	Browse	142.250.180.97
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	142.250.180.97
	http://kubecloud.com	Get hash	malicious	Browse	142.250.180.97
	https://blog.dericoin.com/wp-includes/shell/ivd/office/office/voicemail/index.php	Get hash	malicious	Browse	142.250.180.97
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	142.250.180.97
	jfuoevj.exe	Get hash	malicious	Browse	142.250.180.97
	http://subreqxserver1132.azurewebsites.net	Get hash	malicious	Browse	142.250.180.97
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse	142.250.180.97
	https://wfuwdbjwquoiynfb-dot-tundasma.el.r.appspot.com/#test@test.com	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	http://bit.ly/3nlGvk0	Get hash	malicious	Browse	216.58.206.33
	http://fokpsrhpqilmgun.65kjh455kh566gf.camdvr.org	Get hash	malicious	Browse	216.58.206.33
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	216.58.206.33
	#Ud83d#Udcde_8360.htm	Get hash	malicious	Browse	216.58.215.225
	Westernsouthernlife8PG5-YSGL2K-TVU4.htm	Get hash	malicious	Browse	216.58.215.225
	https://alijafari6.wixsite.com/owa-projection-aspx	Get hash	malicious	Browse	216.58.215.225
	zsmcirs.exe	Get hash	malicious	Browse	216.58.215.225

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OBE-EUROPEObenetworkEuropeSE	inrfzFzDHR.exe	Get hash	malicious	Browse	45.148.16.42
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	185.157.161.61
	New PO.doc	Get hash	malicious	Browse	185.157.161.61
	89GsVCJAXv.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	dpR3o92MH1.exe	Get hash	malicious	Browse	185.157.162.81
	0qNSJXB8nG.exe	Get hash	malicious	Browse	185.157.162.81
	Order_1101201918_AUTECH.exe	Get hash	malicious	Browse	185.157.161.86
	7w7LwD8bqe.exe	Get hash	malicious	Browse	185.157.162.81
	ZZB5zuv1X0.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	ptoovvKZ80.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	EnJsj6nuD4.exe	Get hash	malicious	Browse	185.157.162.81
	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
GOOGLEUS	correos-1.apk	Get hash	malicious	Browse	216.58.198.42
	correos-1.apk	Get hash	malicious	Browse	216.58.198.10
	parler.apk	Get hash	malicious	Browse	216.58.198.10
	parler.apk	Get hash	malicious	Browse	142.250.180.131
	Riskware.apk	Get hash	malicious	Browse	216.58.198.10
	transcach.exe	Get hash	malicious	Browse	172.253.120.109
	PCS.exe	Get hash	malicious	Browse	172.253.120.109
	transcach.exe	Get hash	malicious	Browse	172.253.120.109
	freezer-arm32-0.6.8.apk	Get hash	malicious	Browse	216.239.35.12
	freezer-arm32-0.6.8.apk	Get hash	malicious	Browse	216.239.35.0
	mobdro.apk	Get hash	malicious	Browse	142.250.180.174
	mobdro.apk	Get hash	malicious	Browse	142.250.180.174
	ddkMUJ9VLH.exe	Get hash	malicious	Browse	8.8.8.8
	AptoideTV-5.1.2.apk	Get hash	malicious	Browse	142.250.180.142
	com.parler.parler-2.6.6-free-www.apksum.com.apk	Get hash	malicious	Browse	142.250.180.74
	Pending PURCHASE ORDER - 47001516.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	142.250.180.97
	FTH2004-005.exe	Get hash	malicious	Browse	34.102.136.180
	Curriculo Laura.xlsm	Get hash	malicious	Browse	35.241.57.45
	Confirm!!!..exe	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	_00AC0000.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.Trojan.GenericKD.44525883.8642.exe	Get hash	malicious	Browse	172.217.23.1
	11998704458248.exe	Get hash	malicious	Browse	172.217.23.1
	KeyMaker.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	172.217.23.1
	home.css.ps1	Get hash	malicious	Browse	172.217.23.1
	Curriculo Laura.xlsm	Get hash	malicious	Browse	172.217.23.1
	36.exe	Get hash	malicious	Browse	172.217.23.1
	Buran.exe	Get hash	malicious	Browse	172.217.23.1
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	172.217.23.1
	https://survey.alchemer.com/s3/6130663/Check-11-Payment	Get hash	malicious	Browse	172.217.23.1
	https://smlfinance.com/wp-content/uploads/2021/DHL2021/MARKET/	Get hash	malicious	Browse	172.217.23.1
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse	172.217.23.1
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse	172.217.23.1
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	172.217.23.1
	jfuoevj.exe	Get hash	malicious	Browse	172.217.23.1
	https://blog.dericoin.com/wp-includes/shell/ivd/Office/office/voicemail/index.php	Get hash	malicious	Browse	172.217.23.1

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\uninstall.vbs Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	366
Entropy (8bit):	3.376225730361457
Encrypted:	false
SSDEEP:	6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgUubdlrYM3LkMl4YLMYRdn9YKJRB4y8:xQ4lA2++ugypjBQMB3DubdpYGkMJH9Zk
MD5:	0FE2423601D3291B0B6326E6518286A0
SHA1:	09746EB739147F191068ABA1552CD616EABD5E1D
SHA-256:	1A899121E3969C2BB894E08765A57E8A65CB9154D71C3825BAA6B4F2DA61D8F3
SHA-512:	9632ACAA96BF0D7BC5F3754D15117079888FCC23591007FC7F4D5DABFDB1E9300CF96FF3EE9266FE2D29EA118623651773D1002D5A3F91270471841D5012CEC6
Malicious:	false
Reputation:	low
Preview:	O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.\.i.e.i.n.s.t.a.l...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.639773731024033
Encrypted:	false
SSDEEP:	3:ttUAdUPVWJKrA4RXMRPHv31ae1voVEAv5EJMLrA4RXMRPHvn:tmSgO4XqdHv3I92NM/XqdHvn
MD5:	5B63CB81C36495441D67E06B293B0320
SHA1:	14246085597E9585F67E58065DE13C096926F008
SHA-256:	787158C4FCB177C4861EC3BC08D21AEA5D0807EE46725D35EFB392530E079834
SHA-512:	A077CF0DF572B374B411E2AFED6C749E4D54F8FFDB4AF9538AF7443C92BB7B59B76A28DB00BB5C6734594F88956C9B89B3DA510046A8853DAD3D791EECAC8848
Malicious:	true
Reputation:	low
Preview:	..[2021/01/11 08:12:00 Offline Keylogger Started]....[ Program Manager ]....[2021/01/11 09:16:06 Offline Keylogger Started]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.746554652121395
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan_order.exe
File size:	77824
MD5:	04be7ed51e345a56403df4657b376990
SHA1:	44f5fdf6902d114524afc110cd927f95f72903fa
SHA256:	ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
SHA512:	0b71a26ad38bbc0c1fb37854f636125012cfa6177afa1de4291756e5bdbe3bc07df157a1eb4ba7c3ee82055ece44ec21157ff14a6d66df14b0a720ad410afd21
SSDEEP:	1536:Klk8B6BXvSJtdFpIqRD0rKMIU/EmmwMOKEKkLQJDy2:crYVvOtdFp9gK88zOKEKkLQJd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...5>.O..................... ......\.............@................

File Icon


Icon Hash:	1adaf8c2cacada48

Static PE Info

General
Entrypoint:	0x40145c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F063E35 [Fri Jan 6 00:20:05 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	064d9ba8d40942674328edc4d8e0fd2c

Entrypoint Preview

Instruction
push 0040AB44h
call 00007F03F4CDB823h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xchg eax, ebp
test byte ptr [eax-1Dh], al
push esp
dec ebp
or cl, byte ptr [ebx-5Fh]
popfd
adc byte ptr [esi-62h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10904	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x120	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfe00	0x10000	False	0.402313232422	data	5.25950000678	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x11000	0xa18	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xfd0	0x1000	False	0.179443359375	data	2.23330666999	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x12328	0xca8	data
RT_GROUP_ICON	0x12314	0x14	data
RT_VERSION	0x120f0	0x224	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrComp, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	UNFUGI
FileVersion	1.00
CompanyName	Double Fine Productions
ProductName	COPR
ProductVersion	1.00
OriginalFilename	UNFUGI.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 08:12:01.061997890 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.104787111 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.104908943 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.105503082 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.148252010 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161623001 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161823034 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161878109 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161914110 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.162003040 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.162054062 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.179040909 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.222057104 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.222176075 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.224553108 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.271717072 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500399113 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500454903 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500499010 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500540972 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500581980 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500664949 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.500698090 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.503282070 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.503338099 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.504602909 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.506263018 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.506310940 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.506398916 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.509248972 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.509289980 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.509393930 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.509413958 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.512204885 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.512252092 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.513495922 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.514645100 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.514693975 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.514758110 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.543378115 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.543421984 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.543456078 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.543481112 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.544977903 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.545031071 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.545147896 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.547833920 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.547884941 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.548156977 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.550843954 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.550885916 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.550925016 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.550945997 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.553823948 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.553863049 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.555123091 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.556824923 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.556863070 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.556948900 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.557034016 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.559856892 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.559895992 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.562644005 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.562880993 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.562927008 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.565923929 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.565979958 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.566020966 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.566052914 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.568497896 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.568547964 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.568651915 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.571171999 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.571213007 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.571341038 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.573820114 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.574940920 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.864685059 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.080409050 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.082844019 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.085031033 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.341301918 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.460266113 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.467345953 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.730282068 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:07.461051941 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:07.464006901 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:07.720292091 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:12.470863104 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:12.516609907 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:12.615115881 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:12.880552053 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:17.470907927 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:17.473575115 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:17.751055956 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:22.480979919 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:22.485896111 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:22.750473022 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:27.470366955 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:27.473355055 CET	49755	52360	192.168.2.3	185.157.161.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 08:08:56.034691095 CET	63492	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:56.085526943 CET	53	63492	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:57.539195061 CET	60831	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:57.590198040 CET	53	60831	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:58.997844934 CET	60100	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:59.059166908 CET	53	60100	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:59.992403030 CET	53195	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:00.040544033 CET	53	53195	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:01.331974983 CET	50141	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:01.382942915 CET	53	50141	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:02.373349905 CET	53023	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:02.421516895 CET	53	53023	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:03.819200993 CET	49563	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:03.867108107 CET	53	49563	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:04.752156973 CET	51352	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:04.800386906 CET	53	51352	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:06.000201941 CET	59349	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:06.048269987 CET	53	59349	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:07.186904907 CET	57084	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:07.235117912 CET	53	57084	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:08.298183918 CET	58823	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:08.346400976 CET	53	58823	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:09.535099983 CET	57568	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:09.583108902 CET	53	57568	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:28.973202944 CET	50540	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:29.032784939 CET	53	50540	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:37.395679951 CET	54366	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:37.443648100 CET	53	54366	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:38.408901930 CET	53034	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:38.456998110 CET	53	53034	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:50.190967083 CET	57762	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:50.250932932 CET	53	57762	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:59.925106049 CET	55435	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:59.989722013 CET	53	55435	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:14.570008039 CET	50713	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:14.620887995 CET	53	50713	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:19.093394995 CET	56132	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:19.153832912 CET	53	56132	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:50.901370049 CET	58987	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:50.949441910 CET	53	58987	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:56.035588026 CET	56579	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:56.083764076 CET	53	56579	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:46.976233006 CET	60633	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:47.098877907 CET	53	60633	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:49.292625904 CET	61292	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:49.349224091 CET	53	61292	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:50.505830050 CET	63619	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:50.562891006 CET	53	63619	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:51.038547039 CET	64938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:51.095021009 CET	53	64938	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:51.672871113 CET	61946	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:51.734428883 CET	53	61946	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:52.378628016 CET	64910	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:52.437542915 CET	53	64910	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:53.229226112 CET	52123	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:53.341048002 CET	53	52123	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:56.489923954 CET	56130	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:56.549196959 CET	53	56130	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:58.056026936 CET	56338	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:58.112437010 CET	53	56338	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:58.734754086 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:58.791250944 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:00.079550982 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:00.144229889 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:00.972094059 CET	63978	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:01.049339056 CET	53	63978	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:01.649941921 CET	62938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:01.862879038 CET	53	62938	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:44.708283901 CET	55708	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:44.765296936 CET	53	55708	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:45.210810900 CET	56803	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:45.267163992 CET	53	56803	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:49.075913906 CET	57145	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:49.124016047 CET	53	57145	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:53.082916021 CET	55359	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:53.133667946 CET	53	55359	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:53.463779926 CET	58306	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:53.520102978 CET	53	58306	8.8.8.8	192.168.2.3
Jan 11, 2021 08:14:53.789446115 CET	64124	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:14:53.845844984 CET	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 08:12:00.972094059 CET	192.168.2.3	8.8.8.8	0x8b1c	Standard query (0)	doc-0c-8c-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jan 11, 2021 08:12:01.649941921 CET	192.168.2.3	8.8.8.8	0x93ca	Standard query (0)	wealthyblessed.myddns.rocks	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 11, 2021 08:09:37.443648100 CET	8.8.8.8	192.168.2.3	0x3c5e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 08:12:01.049339056 CET	8.8.8.8	192.168.2.3	0x8b1c	No error (0)	doc-0c-8c-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 08:12:01.049339056 CET	8.8.8.8	192.168.2.3	0x8b1c	No error (0)	googlehosted.l.googleusercontent.com		172.217.23.1	A (IP address)	IN (0x0001)
Jan 11, 2021 08:12:01.862879038 CET	8.8.8.8	192.168.2.3	0x93ca	No error (0)	wealthyblessed.myddns.rocks		185.157.161.61	A (IP address)	IN (0x0001)
Jan 11, 2021 08:13:44.765296936 CET	8.8.8.8	192.168.2.3	0xa7c0	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 11, 2021 08:12:01.161914110 CET	172.217.23.1	443	192.168.2.3	49754	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Dec 15 15:47:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Mar 09 15:47:08 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 08:12:01.161914110 CET	172.217.23.1	443	192.168.2.3	49754	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Scan_order.exe PID: 5260 Parent PID: 5568

General

Start time:	08:09:00
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\Scan_order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x400000
File size:	77824 bytes
MD5 hash:	04BE7ED51E345A56403DF4657B376990
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: ieinstal.exe PID: 5468 Parent PID: 5260

General

Start time:	08:11:36
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x1250000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ieinstal.exe PID: 6128 Parent PID: 5260

General

Start time:	08:11:36
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x1250000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: wscript.exe PID: 5776 Parent PID: 6128

General

Start time:	08:12:45
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Imagebase:	0xea0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Scan_order.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Scan_order.exe PID: 5260 Parent PID: 5568

General

Analysis Process: ieinstal.exe PID: 5468 Parent PID: 5260

General