Play interactive tour

Edit tour

Analysis Report Incaseformat

Overview

General Information

Sample Name:	Incaseformat (renamed file extension from none to exe)
Analysis ID:	339452
MD5:	1ea8bea4055adc9edf91e03b0c80e68a
SHA1:	300b32ae0a70e86eecbccc2b850d783ded5a0f69
SHA256:	3c8c16428fe5b2d67ed59d543805e5ec63b3565f05305cbc193c961107e56f1d
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Incaseformat.exe (PID: 3504 cmdline: 'C:\Users\user\Desktop\Incaseformat.exe' MD5: 1EA8BEA4055ADC9EDF91E03B0C80E68A)

lvrslql.exe (PID: 5264 cmdline: C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal MD5: 0174F8B5E7DD2E44B57EBBE3742B216F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Incaseformat.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\ProgramData\Mozilla\lvrslql.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Mozilla\nnekebf.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen4

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Mozilla\nnekebf.dll	Virustotal: Detection: 76%	Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dll	Metadefender: Detection: 52%	Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dll	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Show sources

Source: Incaseformat.exe	Virustotal: Detection: 83%			Perma Link
Source: Incaseformat.exe	ReversingLabs: Detection: 100%

Machine Learning detection for dropped file

Show sources

Source: C:\ProgramData\Mozilla\lvrslql.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Mozilla\nnekebf.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Incaseformat.exe

Joe Sandbox ML: detected

Source: 0.0.Incaseformat.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.Incaseformat.exe.400000.0.unpack	Avira: Label: TR/Gepys.aouma
Source: 1.2.lvrslql.exe.df0000.1.unpack	Avira: Label: TR/Gepys.aouma
Source: 0.2.Incaseformat.exe.2150000.1.unpack	Avira: Label: TR/Gepys.aouma
Source: 1.0.lvrslql.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.lvrslql.exe.400000.0.unpack	Avira: Label: TR/Gepys.aouma

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe

Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe	Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exe	Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack

Source: Incaseformat.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: Incaseformat.exe, 00000000.00000002.216899225.00000000007BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Incaseformat.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: Incaseformat.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lvrslql.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nnekebf.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.evad.winEXE@2/2@0/0

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,

Source: Incaseformat.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Incaseformat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Incaseformat.exe	Virustotal: Detection: 83%
Source: Incaseformat.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\Incaseformat.exe

File read: C:\Users\user\Desktop\Incaseformat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Incaseformat.exe 'C:\Users\user\Desktop\Incaseformat.exe'
Source: unknown	Process created: C:\ProgramData\Mozilla\lvrslql.exe C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal

Source: C:\Users\user\Desktop\Incaseformat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe	Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Mozilla\lvrslql.exe	Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe

Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe	Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exe	Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\Incaseformat.exe	Code function: 0_2_00403CB5 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040E03D push edi; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040F03F push ecx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040D8DF pushad ; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_00403CB5 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040EA1F push ebp; retf
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040DAC9 push ecx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040D2F0 push ebp; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040BE88 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_00DB8720 push edx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_00D919CE push edx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_00D932C2 push FFFFFFDFh; ret
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_00D93FE0 push ss; retn 0003h

Source: initial sample	Static PE information: section name: .text entropy: 7.66572568976
Source: initial sample	Static PE information: section name: .text entropy: 7.66572568976
Source: initial sample	Static PE information: section name: .text entropy: 7.08580926417

Persistence and Installation Behavior:

Drops executable to a common third party application directory

Show sources

Source: C:\Users\user\Desktop\Incaseformat.exe	File written: C:\ProgramData\Mozilla\lvrslql.exe			Jump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exe	File written: C:\ProgramData\Mozilla\nnekebf.dll			Jump to behavior

Source: C:\ProgramData\Mozilla\lvrslql.exe	File created: C:\ProgramData\Mozilla\nnekebf.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exe	File created: C:\ProgramData\Mozilla\lvrslql.exe			Jump to dropped file

Source: C:\ProgramData\Mozilla\lvrslql.exe	File created: C:\ProgramData\Mozilla\nnekebf.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exe	File created: C:\ProgramData\Mozilla\lvrslql.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\ProgramData\Mozilla\lvrslql.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs

Jump to behavior

Source: C:\Users\user\Desktop\Incaseformat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\ProgramData\Mozilla\lvrslql.exe

Dropped PE file which has not been started: C:\ProgramData\Mozilla\nnekebf.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Incaseformat.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\ProgramData\Mozilla\lvrslql.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,

Source: C:\Users\user\Desktop\Incaseformat.exe	Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Incaseformat.exe	Code function: 0_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\Mozilla\lvrslql.exe	Code function: 1_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_00402179 GetTickCount,CreateFileW,WriteFile,CloseHandle,HeapFree,_memset,ShellExecuteExW,Sleep,DeleteFileW,

Source: C:\Users\user\Desktop\Incaseformat.exe

Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,

Source: C:\Users\user\Desktop\Incaseformat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Exploitation for Privilege Escalation1	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Registry Run Keys / Startup Folder1	Process Injection1	Process Injection1	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Software Packing33	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery4	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Incaseformat.exe	83%	Virustotal		Browse
Incaseformat.exe	100%	ReversingLabs	Win32.Dropper.GepSys
Incaseformat.exe	100%	Avira	TR/Dropper.Gen
Incaseformat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Mozilla\lvrslql.exe	100%	Avira	TR/Dropper.Gen
C:\ProgramData\Mozilla\nnekebf.dll	100%	Avira	TR/ATRAPS.Gen4
C:\ProgramData\Mozilla\lvrslql.exe	100%	Joe Sandbox ML
C:\ProgramData\Mozilla\nnekebf.dll	100%	Joe Sandbox ML
C:\ProgramData\Mozilla\nnekebf.dll	76%	Virustotal		Browse
C:\ProgramData\Mozilla\nnekebf.dll	55%	Metadefender		Browse
C:\ProgramData\Mozilla\nnekebf.dll	84%	ReversingLabs	Win32.Trojan.Zeus

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.Incaseformat.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.Incaseformat.exe.400000.0.unpack	100%	Avira	TR/Gepys.aouma	Download File
1.2.lvrslql.exe.df0000.1.unpack	100%	Avira	TR/Gepys.aouma	Download File
0.2.Incaseformat.exe.2150000.1.unpack	100%	Avira	TR/Gepys.aouma	Download File
1.0.lvrslql.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.2.lvrslql.exe.400000.0.unpack	100%	Avira	TR/Gepys.aouma	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339452
Start date:	14.01.2021
Start time:	04:19:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Incaseformat (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.winEXE@2/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 31% (good quality ratio 28.6%) Quality average: 80.4% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 52% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

Time	Type	Description
04:20:19	Task Scheduler	Run new task: uihuovc path: C:\PROGRA~3\Mozilla\lvrslql.exe s>-ddeznal

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Mozilla\lvrslql.exe Download File
Process:	C:\Users\user\Desktop\Incaseformat.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	386118
Entropy (8bit):	7.757548173569129
Encrypted:	false
SSDEEP:	6144:flzoa7yNgAIQo8OLamr3RLzRnHhq92gkqnC2v7LA+Fq3PTzhVaY:ftB7yNgD83m3fE92TqC25sPPKY
MD5:	0174F8B5E7DD2E44B57EBBE3742B216F
SHA1:	182A5FA3FA20939D1646A8BB2D5D99D358AB0C67
SHA-256:	E2830DBE2A0C182413532707C4A1D0005BF77F5A4275D743C40DBC5CD257AD01
SHA-512:	D094657C9FD11DC9D4E909AFB0E8C7A1F21038189D49EBD4C749E9FE508DBDEE76BC68A6C478B38CCE8F5C13FB76CE0CB7E3CC5924507C8FADAA003A6982532D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S..v(..S..R..S.1.A..S..S..S.....S.....S.....S.Rich.S.........PE..L..."..Q..........................................@.............................................................................d....................................................................................................................text...F........................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Mozilla\nnekebf.dll Download File
Process:	C:\ProgramData\Mozilla\lvrslql.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	23040
Entropy (8bit):	6.549949874024087
Encrypted:	false
SSDEEP:	384:ucR0NobYoT7lP/uy4rKTFBYFk64owOCjxXfr6ftakRl:ue0OHlz4EVhTPjxXz6T
MD5:	186E739497337C4C3084CE81279271D4
SHA1:	2A31C24432B259926A7E5E33F7EB8C9AE57A517B
SHA-256:	33F74F3530AF748C84DDDE066BF29E347BDA982FE81C742773951B1FF286CC0B
SHA-512:	B9AAC441ECD2055BE2A2407299243357BD6A28A39309D5FF7463EAAAD46FC8A565C35379C7CCFD0579EC0EFB3DF7A16D1E46D595D9F380995B7F327D95B29E34
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 76%, Browse Antivirus: Metadefender, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S..v(..S..R..S.1.A..S.....S..S..S.....S.....S.Rich.S.........PE..L...!..Q...........!.....D...................`...............................`...............................................`..d....................................................................................`...............................text...XC.......D.................. ..`.rdata.......`.......H..............@..@.data...L....p.......L..............@....rsrc................N..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.75753941681381
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Incaseformat.exe
File size:	386110
MD5:	1ea8bea4055adc9edf91e03b0c80e68a
SHA1:	300b32ae0a70e86eecbccc2b850d783ded5a0f69
SHA256:	3c8c16428fe5b2d67ed59d543805e5ec63b3565f05305cbc193c961107e56f1d
SHA512:	28e9af00495f838562d8ee67ab3521baea93f8b0360505cd0cbd40b40ad14b7e365ae7c71599fe5d05c539c106323021890a16c97c19770fda1bb5a01131b0bf
SSDEEP:	6144:flzoa7yNgAIQo8OLamr3RLzRnHhq92gkqnC2v7LA+Fq3PTzhVap:ftB7yNgD83m3fE92TqC25sPPKp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...S...S...S..v(...S...R...S.1.A...S...S...S.......S.......S.......S.Rich..S.........PE..L..."..Q...........................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x42c0f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51829C22 [Thu May 2 17:02:26 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b40c457657c59e9d515f1130618a2f1e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 50h
lea eax, dword ptr [ebp-50h]
push eax
call dword ptr [0042D034h]
push 0000019Ch
push 00000000h
call dword ptr [0042D070h]
test eax, eax
je 00007F4F08AE7696h
xor eax, eax
jmp 00007F4F08AE76E9h
push 00007F00h
push 00000000h
call dword ptr [0042D070h]
test eax, eax
jne 00007F4F08AE7696h
xor eax, eax
jmp 00007F4F08AE76D4h
push ebp
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
mov eax, eax
call 00007F4F08AE7089h
mov esp, ebp
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0000021Ch
mov eax, dword ptr [ebp+08h]
mov dword ptr [ebp-0000020Ch], eax
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ebp-0000021Ch], ecx
mov dword ptr [ebp-00000218h], 00000005h
mov dword ptr [ebp-00000210h], 0042E0E0h
mov edx, dword ptr [ebp-0000020Ch]
cmp edx, dword ptr [ebp-0000021Ch]
jnc 00007F4F08AE76A6h
mov dword ptr [ebp-00000218h], 00000005h

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d094	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x790	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2d000	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b346	0x2b400	False	0.853814803107	data	7.66572568976	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0x3b4	0x400	False	0.5078125	data	4.79024068833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x118	0x200	False	0.263671875	data	2.00112152127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2f000	0x2b790	0x800	False	0.3037109375	data	2.76533518439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2f0d0	0x188	Alpha compressed COFF	Russian	Russia
None	0x2f268	0x526	PC bitmap, Windows 3.x format, 160 x 15 x 4	Russian	Russia
None	0x2f258	0xb	PGP Secret Sub-key (v4) - 0b created on Tue Jul 14 05:20:16 1970 - unknown (pub 0) Plaintext or unencrypted data	Russian	Russia

Imports

DLL	Import
KERNEL32.dll	ReadFile, CreateFileA, GetTickCount, GetModuleHandleA, GetCommandLineA, GetProcAddress, GetStartupInfoA, ExitProcess
USER32.dll	GetSystemMetrics, LoadBitmapA, GetMessageA, LoadIconA, LoadMenuA, PostQuitMessage, RegisterClassExA, ReleaseDC, SetMenu, ShowWindow, TranslateMessage, UpdateWindow, LoadIconW, GetDC, EndPaint, DispatchMessageA, DefWindowProcA, CreateWindowExA, BeginPaint, LoadCursorA
GDI32.dll	SelectObject, DeleteDC, CreateCompatibleDC, BitBlt
ADVAPI32.dll	RegOpenKeyA

Version Infos

Description	Data
FileDescription
CompanyName
Translation	0x0419 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Incaseformat.exe PID: 3504 Parent PID: 5656

General

Start time:	04:20:13
Start date:	14/01/2021
Path:	C:\Users\user\Desktop\Incaseformat.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Incaseformat.exe'
Imagebase:	0x400000
File size:	386110 bytes
MD5 hash:	1EA8BEA4055ADC9EDF91E03B0C80E68A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: lvrslql.exe PID: 5264 Parent PID: 528

General

Start time:	04:20:18
Start date:	14/01/2021
Path:	C:\ProgramData\Mozilla\lvrslql.exe
Wow64 process (32bit):	true
Commandline:	C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal
Imagebase:	0x400000
File size:	386118 bytes
MD5 hash:	0174F8B5E7DD2E44B57EBBE3742B216F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Incaseformat

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Incaseformat.exe PID: 3504 Parent PID: 5656

General

Analysis Process: lvrslql.exe PID: 5264 Parent PID: 528

General

Disassembly

Code Analysis