Play interactive tour

Edit tour

Analysis Report jesovROZ8A.exe

Overview

General Information

Sample Name:	jesovROZ8A.exe
Analysis ID:	346431
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
Tags:	unnamed3
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

jesovROZ8A.exe (PID: 2416 cmdline: 'C:\Users\user\Desktop\jesovROZ8A.exe' MD5: 039CE25D495FA555AE1C210592B564D0)

WerFault.exe (PID: 5888 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: jesovROZ8A.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: jesovROZ8A.exe	Virustotal: Detection: 85%			Perma Link
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Machine Learning detection for sample

Show sources

Source: jesovROZ8A.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401401
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00403827
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040142A
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401C2B
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040C4D3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BCEA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD5F
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD60
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00408116
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00417516
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040FD1C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410528
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0042313D
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004125CA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004131CC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004221ED
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F2
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00411982
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DBE
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00413220
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00421AE6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041B2F3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D684
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D6A0
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041BF43
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00404B50
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00409711
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041E32C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040E734
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041CBD1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004203E1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BFFB
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00425FFC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00407388

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588

Source: jesovROZ8A.exe, 00000000.00000002.206549685.0000000000446000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe
Source: jesovROZ8A.exe	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: jesovROZ8A.exe

Static PE information: Section: UPX1 ZLIB complexity 0.996900699013

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2416

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: jesovROZ8A.exe	Virustotal: Detection: 85%
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Source: unknown	Process created: C:\Users\user\Desktop\jesovROZ8A.exe 'C:\Users\user\Desktop\jesovROZ8A.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588

Data Obfuscation:

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D056 push ds; retf
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405414 push ds; retn 0000h
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004060E9 push ecx; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DFE pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D5B6 push 00880000h; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004046EA pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405EFB pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040577F push edi; ret

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Anti Debugging:

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Process queried: DebugPort

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jesovROZ8A.exe	86%	Virustotal		Browse
jesovROZ8A.exe	100%	ReversingLabs	Win32.Trojan.Zeus
jesovROZ8A.exe	100%	Avira	TR/Sirefef.AO
jesovROZ8A.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.jesovROZ8A.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.jesovROZ8A.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346431
Start date:	31.01.2021
Start time:	15:51:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	jesovROZ8A.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@2/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 98.3% (good quality ratio 69.3%) Quality average: 46.9% Quality standard deviation: 34.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.255.188.83, 104.43.193.48 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolcus15.cloudapp.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_174609fe\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11734
Entropy (8bit):	3.7756645450844095
Encrypted:	false
SSDEEP:	192:d6lo4/KjHBUZMXYjRWV//u7s7S274ItDX2:H4/+BUZMXYjM/u7s7X4ItDX2
MD5:	90348400B8FF91427A3D8FE633406DAD
SHA1:	B0890BF3F5D23484AE45B77C2B2916D01DB734BF
SHA-256:	B896514327C8A7E71B11B5A09D4C29C3A0300D34BA416416CF6E4FA8483053C2
SHA-512:	B8A9BB49180A44760BE185E39C8BBC696E60DCAF8ED4723B80E7A00034E1DDB5F0AA69D972B22B0EABC5E0958AD76029F32DEE513842759525EBA0B618A30409
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.1.0.7.2.4.8.0.7.9.4.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.1.0.7.2.5.5.5.7.9.5.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.6.b.8.a.4.8.-.6.5.c.0.-.4.2.2.5.-.a.6.c.8.-.2.3.9.f.a.8.7.2.9.c.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.7.8.e.b.2.4.-.7.c.1.1.-.4.3.c.8.-.a.2.a.e.-.5.a.9.c.0.8.1.4.d.4.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.e.s.o.v.R.O.Z.8.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.h.e.v.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.7.0.-.0.0.0.1.-.0.0.1.7.-.1.5.d.5.-.a.2.1.2.2.c.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.9.9.7.4.9.2.3.7.a.0.6.0.7.c.4.b.f.6.b.d.7.1.4.a.8.4.d.c.b.3.0.0.0.0.0.9.0.4.!.0.0.0.0.6.6.8.4.d.0.f.f.d.e.1.7.4.0.5.2.a.0.3.9.3.1.9.8.1.2.6.2.d.c.0.a.7.c.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.6994579938462806
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijt6jfy6YS/SUIUpblGgmfPjStCprF89brnesfH5m:RrlsNip6e6YqSUIU+gmfPjS/rndfU
MD5:	3BAD7B2DBEFB569A73D48F4E1BDBE508
SHA1:	8573B937AC58F6F45B2ABFDE4444E5EE9D0B382B
SHA-256:	794287A06E613B335CCBDB4141CAF7A8D2B5E3EC8B67905360FEA6DE030DBBB5
SHA-512:	30A5B628C11FD517627724BB6B40E3A587E33047F685365AA264D4AF2580A626B3D94D6DD8E5E55F9B498624AF3B615139558106B26079926CDF91F8FBED36FC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.459246142148875
Encrypted:	false
SSDEEP:	48:cvIwSD8zs8tJgtWI98/EWSC8B1/8fm8M4JosSFL+q8qrVZ5P9M0h4sd:uITf8HNdSNsJ8tZ5P9MCdd
MD5:	EE9A37A7CF7A48B561CE809E0A9FD314
SHA1:	7A53D5C095AE88DB6527D23ED6F1828661065825
SHA-256:	3A7ACD8DFC4FFB86D5B8D14C837E25B5E82FCC2B699CAA7E3B5DA2EF2A1660FF
SHA-512:	27B92BA14C832DCDC77EFA83CDA0CB756907858062DB83C14A435ACE13D716A2EA8F58C7230016101D5410A3265994B3358B1E73AF41405BEE8B062AD6910DEA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="841502" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Jan 31 23:52:05 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41942
Entropy (8bit):	2.338919342839634
Encrypted:	false
SSDEEP:	192:/N/t2P6MvHmWzxUsxtr+AkK2VOD+wGt6t5Q3KrRMjCTx/aE6MC:GuWzxUsxx+bgTsZKruCTpP6MC
MD5:	EF41E4BCD97E9BF8344AE871265D27F2
SHA1:	5013FCE08852EA3B415DC5B9B0F312DD1D1DDE18
SHA-256:	FDD7E4E2E749661B7BBEB808272674283A5FA9D0E13AE47EE71D8B9E0F118D0C
SHA-512:	9ED65096CD14476E73D7BD6503BDB5B496715968DBA737832EA936478A2FF314931D3D9AB97450AF2831D870A93A423CF2CA7C6BD337437F564F5638EAF619A9
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........B.`...................U...........B..............GenuineIntelW...........T.......p....B.`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9178862272744785
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	jesovROZ8A.exe
File size:	202240
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
SHA512:	c2be8d6b80e57339957f370b4ac31bd03140f9a9ed4865926eb6d7e5a69d3510b046930c1933d38629b4c3bcae007b6cf5e6140463ab6e064820cdd91bbd46bb
SSDEEP:	3072:RD9PfpJ/v2bIfdjba+htCsw0qv2AYjGX9E7e+q8EOADhpsWgXDeet78Bx/rUyMHL:RXJWbUTwsTqvdMO9nnSmphgTeE4B+8U
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F...'...'...'......h%......;'...k...'..0...C'...y...&..<&...%.......&..^....%...w...&...3...$.......$...7..Z&..Rich.'.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x445590
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D771DAA [Wed Mar 9 06:26:50 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	8
OS Version Minor:	2
File Version Major:	8
File Version Minor:	2
Subsystem Version Major:	8
Subsystem Version Minor:	2
Import Hash:	976c9384d1a3c367e491662f20af4316

Entrypoint Preview

Instruction
pushad
mov esi, 00416000h
lea edi, dword ptr [esi-00015000h]
push edi
jmp 00007F753091967Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F7530919679h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F753091965Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F7530919679h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F7530919661h
jne 00007F753091967Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F7530919656h
xor ecx, ecx
sub eax, 03h
jc 00007F753091967Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F75309196E6h
mov ebp, eax
add ebx, ebx
jne 00007F7530919679h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F7530919679h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F7530919692h
inc ecx
add ebx, ebx
jne 00007F7530919679h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F7530919661h
jne 00007F753091967Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F7530919656h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F7530919681h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F7530919669h
jmp 00007F75309195D8h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 04h
jnbe 00007F7530919663h
add edi, ecx
jmp 00007F75309295C1h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4749c	0x428	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x149c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x15000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x16000	0x30000	0x2f800	False	0.996900699013	data	7.94664222533	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x2000	0x1a00	False	0.621394230769	data	5.74902503533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_FONT	0x463ec	0x5	data	English	United States
RT_FONT	0x463f8	0x5	data	English	United States
RT_FONT	0x46404	0x5	data	English	United States
RT_FONT	0x46410	0x5	data	English	United States
RT_FONT	0x4641c	0x5	data	English	United States
RT_FONT	0x46428	0x5	data	English	United States
RT_FONT	0x46434	0x5	data	English	United States
RT_FONT	0x46440	0x5	data	English	United States
RT_FONT	0x4644c	0x5	data	English	United States
RT_RCDATA	0x46458	0xb08	data	English	United States
RT_VERSION	0x46f64	0x32c	data	English	United States
RT_MANIFEST	0x47294	0x1be	ASCII text, with CRLF line terminators	English	United States
None	0x47458	0x5	data	English	United States
None	0x47464	0x5	Non-ISO extended-ASCII text, with no line terminators	English	United States
None	0x47470	0x5	data	English	United States
None	0x4747c	0x5	data	English	United States
None	0x47488	0x5	data	English	United States
None	0x47494	0x5	data	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	RegEnumKeyW
comctl32.dll	ImageList_Add
comdlg32.dll	ChooseColorW
crypt32.dll	CryptProtectData
gdi32.dll	DPtoLP
msimg32.dll	AlphaBlend
msvcrt.dll	exit
ole32.dll	DoDragDrop
rpcrt4.dll	UuidEqual
secur32.dll	GetUserNameExW
shell32.dll	ShellAboutW
shlwapi.dll	UrlIsW
urlmon.dll	CreateAsyncBindCtx
user32.dll	GetDC
version.dll	VerQueryValueW
wininet.dll	InternetOpenW
winmm.dll	mixerOpen

Version Infos

Description	Data
LegalCopyright	Crops Mama Poll 2003-2010
InternalName	Firm Veal Pores Funds Elms
FileVersion	8.9
CompanyName	Foundstone Inc.
ProductName	Yak Press Bent Met Shuts Cogent
ProductVersion	8.9
FileDescription	Wrong Knot Wilt Alto Shrew Strap
OriginalFilename	Chevy.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 31, 2021 15:51:57.030225039 CET	53	55984	8.8.8.8	192.168.2.3
Jan 31, 2021 15:51:58.114346027 CET	64185	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:51:58.171156883 CET	53	64185	8.8.8.8	192.168.2.3
Jan 31, 2021 15:51:59.309480906 CET	65110	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:51:59.357852936 CET	53	65110	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:00.330826044 CET	58361	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:00.380363941 CET	53	58361	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:01.876180887 CET	63492	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:01.927094936 CET	53	63492	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:02.834682941 CET	60831	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:02.882750988 CET	53	60831	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:03.956110001 CET	60100	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:04.009675980 CET	53	60100	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:05.175945997 CET	53195	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:05.223980904 CET	53	53195	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:05.743197918 CET	50141	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:05.802350044 CET	53	50141	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:06.373653889 CET	53023	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:06.421638012 CET	53	53023	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:07.194112062 CET	49563	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:07.242078066 CET	53	49563	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:08.044931889 CET	51352	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:08.095187902 CET	53	51352	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:09.233760118 CET	59349	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:09.292754889 CET	53	59349	8.8.8.8	192.168.2.3
Jan 31, 2021 15:52:10.289381981 CET	57084	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:52:10.337560892 CET	53	57084	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: jesovROZ8A.exe PID: 2416 Parent PID: 5632

General

Start time:	15:52:02
Start date:	31/01/2021
Path:	C:\Users\user\Desktop\jesovROZ8A.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\jesovROZ8A.exe'
Imagebase:	0x400000
File size:	202240 bytes
MD5 hash:	039CE25D495FA555AE1C210592B564D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exe PID: 5888 Parent PID: 2416

General

Start time:	15:52:03
Start date:	31/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588
Imagebase:	0x230000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report jesovROZ8A.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: jesovROZ8A.exe PID: 2416 Parent PID: 5632

General

Analysis Process: WerFault.exe PID: 5888 Parent PID: 2416

General

Disassembly

Code Analysis