Play interactive tour

Edit tour

Analysis Report executable.4420.exe

Overview

General Information

Sample Name:	executable.4420.exe
Analysis ID:	356831
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to upload files via FTP

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

System is w10x64

executable.4420.exe (PID: 5412 cmdline: 'C:\Users\user\Desktop\executable.4420.exe' MD5: 6192CFBE8E44360F7C0B6F696206F41D)

WerFault.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: executable.4420.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Machine Learning detection for sample

Show sources

Source: executable.4420.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Spreading:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,

Networking:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0041B588 __EH_prolog,InternetGetConnectedState,#1199,GetDlgItem,EnableWindow,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemInt,lstrcpyA,IsDlgButtonChecked,InternetOpenA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetConnectA,#1199,GetDlgItem,EnableWindow,FtpSetCurrentDirectoryA,lstrcpyA,FtpCreateDirectoryA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,CreateFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,WriteFile,CloseHandle,CloseHandle,FtpPutFileA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileA,GetDlgItem,EnableWindow,#1199,#800,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004276F1 __EH_prolog,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,GetUserNameA,#3811,#537,#537,#924,#922,#922,#800,#800,#800,#800,#537,#537,#926,#922,FtpPutFileA,#800,#800,#800,#800,DeleteFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#800,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/downloads.html
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/orderbpk.html_This
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/update.tmpupdates/bpk.dat

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\Desktop\executable.4420.exe

System Summary:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043E4E0 appears 241 times
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043DE26 appears 82 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672

Source: executable.4420.exe, 00000000.00000002.226322068.0000000000970000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs executable.4420.exe

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0041C947 GetLastError,FormatMessageA,MessageBoxA,LocalFree,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004288B3 CreateToolhelp32Snapshot,Module32First,Module32Next,memcpy,CloseHandle,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00429112 CoCreateInstance,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042980F #1168,FindResourceA,#1168,SizeofResource,LoadResource,LockResource,#537,#538,

Source: C:\Users\user\Desktop\executable.4420.exe

File created: C:\Users\user\AppData\Roaming\BPK\

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5412

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2F.tmp

Jump to behavior

Source: executable.4420.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\executable.4420.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Source: unknown	Process created: C:\Users\user\Desktop\executable.4420.exe 'C:\Users\user\Desktop\executable.4420.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672

Data Obfuscation:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E4E0 push eax; ret
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E690 push eax; ret

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\executable.4420.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 0005h and CTI: jbe 0042AB3Fh
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0014h and CTI: jbe 0042AB4Ch

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,

Anti Debugging:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042AAFA CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428A6B GetVersionExA,

Remote Access Functionality:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00410C1A strlen,memset,htons,inet_addr,gethostbyname,bind,memset,htons,inet_addr,gethostbyname,WSASetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	System Time Discovery11	Remote Services	Clipboard Data2	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
executable.4420.exe	74%	ReversingLabs	Win32.Spyware.Perfect
executable.4420.exe	100%	Avira	HEUR/AGEN.1112545
executable.4420.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File
0.0.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.blazingtools.com/update.tmpupdates/bpk.dat	0%	Avira URL Cloud	safe
http://www.blazingtools.com/orderbpk.html_This	0%	Avira URL Cloud	safe
http://www.blazingtools.com/downloads.html	1%	Virustotal		Browse
http://www.blazingtools.com/downloads.html	0%	Avira URL Cloud	safe
http://www.blazingtools.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.blazingtools.com/update.tmpupdates/bpk.dat	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/orderbpk.html_This	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/downloads.html	executable.4420.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.blazingtools.com/	executable.4420.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356831
Start date:	23.02.2021
Start time:	17:38:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	executable.4420.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 90.1%) Quality average: 71.8% Quality standard deviation: 31.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 23.211.6.115, 104.43.193.48, 40.88.32.150, 52.255.188.83, 184.30.24.56, 51.11.168.160, 8.250.157.254, 8.248.95.254, 8.238.27.126, 8.241.80.126, 8.248.123.254, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.4420._c4d235e04f7d67dd8b9808a243ef65182404b_dc10a768_08086b39\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11694
Entropy (8bit):	3.7672748277627535
Encrypted:	false
SSDEEP:	192:h/5h7gBgH/UJuLl+7jpLPAz/u7ssS274ItM/1c:tz/UJuLcjCz/u7ssX4It0c
MD5:	7A55A9DC34D7C94401B8ED3160BA0C72
SHA1:	F4AE306D576E833E6A99A8363306C07D9DD76A06
SHA-256:	35E4069BB231E06A148487DCAC11D00BE8A891927E7CC072221A7056F001F51C
SHA-512:	9B3C9B7EA90710D5C183686C7CB6977E33357DE869B25ED2D18182B7F94D65BE3CBD209640AE7837043826B243424205AF3939D4D7704BB80C276E5AF9D212E8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.6.0.4.3.7.6.4.4.2.6.1.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.6.0.4.3.7.8.8.3.3.2.3.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.0.3.d.2.5.1.-.e.c.9.b.-.4.4.e.9.-.a.4.6.d.-.7.a.f.5.b.0.9.4.0.5.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.a.6.f.5.f.1.-.d.3.f.7.-.4.9.a.e.-.b.2.e.f.-.b.9.2.1.0.9.a.6.f.9.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.4.-.0.0.0.1.-.0.0.1.7.-.f.7.1.d.-.3.7.e.7.4.d.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.b.e.2.9.9.c.7.9.9.4.b.9.5.3.7.7.c.d.6.2.c.1.5.c.1.9.9.9.1.9.0.0.0.0.f.f.f.f.!.0.0.0.0.1.6.6.8.8.6.0.6.6.f.f.a.b.b.7.6.f.6.b.7.2.c.4.b.4.e.d.9.1.f.a.1.9.e.5.9.9.8.7.a.!.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 24 01:39:36 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1080022
Entropy (8bit):	1.2269964489942033
Encrypted:	false
SSDEEP:	3072:eS293HEp5CUPF0iJTiSQCidYakBWg+vSsThybQv:eS29X65CUPF0iJTiSQCidYakEg+v9Qbm
MD5:	B9A9BEE69F8163C259E82977694A384E
SHA1:	500E77B794EB34E6B0A50D43FA8D767CE220D611
SHA-256:	EF357D66AA69B8ECAE3AA51BA7FF633B2C709DB23F74EEA1FC236F6C60018722
SHA-512:	018C33E5506E918DF09B1F4859D22AB2D97D5D3A53F85A0736CD1BDADA2C64CDD87862BDBD7158FDF6749D7744CA220BF54C595B2521C6ECADECC955DB9CC61B
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......X.5`...................U...........B..............GenuineIntelW...........T.......$...U.5`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER655E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8320
Entropy (8bit):	3.693017369135634
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiUWV68nw6YSeSUh2sLgmfXlZS/LNCpDs89bXnisf79m:RrlsNiV68nw6YbSUh2ogmfLS/LsXnhfM
MD5:	C9E60060870D3B974BE4AFC5F943DBB3
SHA1:	66BFC2EE917214F25A0C603029918D30BCB8913F
SHA-256:	918D1EE2E7E2C757290948589858F1515FAC4E694A7236A4D155E0CD1971CE61
SHA-512:	AE855276116DCF22E25C23D3D800C4F974AC71C6A2C2AF10EEA556FC4D3F3F3D1413890BCD796B556B9A9DDEB0A5980F88DCEC3FB2C6AF56BAA568AFF42FEFCB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65FB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4597
Entropy (8bit):	4.461112344435761
Encrypted:	false
SSDEEP:	48:cvIwSD8zsjtJgtWI9LrWSC8BT8fm8M4JSHd8lFb+q8r3Y70UHj+d:uITfjHYaSNyJS987q3+DHj+d
MD5:	5D91C01CE7A87CC544F3B72FE1EB4DD3
SHA1:	5E7E5241C6400239CB4406316B6AF0FE2FF95FF4
SHA-256:	E6BA6B6FBB2687EBA4F1DEE10D64EE7B7AB566032F570DB75477951426E4CA36
SHA-512:	99990EB14ED48B65E833CF3F67CE36E24912B5DBE627BE1AC8340D8BB7970D10593D05634FE7290EACE6311B042C2690EB720E197B5786DA8057BDDDD2E596F7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874730" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.300468788976393
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	executable.4420.exe
File size:	438272
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
SHA512:	d492b9ea094bd6e695a562a855587feaf793be0cb35cf28df681a0022a8e0139a222a68bd578fb65b125fe9fea86f1f596bf337e65a445e8a5286d95ae037857
SSDEEP:	3072:U+NvJwwbI7mZgauugh+KsvkfGDLNj58E2wL6uEXKIwjwxhfgtRlh:9swbYmZgarrKsvVDR5POuE6Iwqf4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....R...R...R.].R...R.c.R...R.]>R...R.\.R...R.`.R...R\c.R...R.`.R...R.`.R...R.Y.R...R...R.}.R%\.R...R...R...R.Y.R...R.y.R...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x43e7ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47299316 [Thu Nov 1 08:49:26 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4dc9b0b4e019be52f23cc9a3c195910d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0044A588h
push 0043E91Eh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00444824h]
pop ecx
or dword ptr [00455C18h], FFFFFFFFh
or dword ptr [00455C1Ch], FFFFFFFFh
call dword ptr [004447B4h]
mov ecx, dword ptr [00455BF8h]
mov dword ptr [eax], ecx
call dword ptr [00444754h]
mov ecx, dword ptr [00455BF4h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00444758h]
mov eax, dword ptr [eax]
mov dword ptr [00455C14h], eax
call 00007F4964A1E080h
cmp dword ptr [004550A0h], ebx
jne 00007F4964A47B0Eh
push 0043E948h
call dword ptr [0044475Ch]
pop ecx
call 00007F4964A47C05h
push 00453078h
push 00453074h
call 00007F4964A47BF0h
mov eax, dword ptr [00455BF0h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00455BECh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00444764h]
push 00453070h
push 00453000h
call 00007F4964A47BBDh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50b58	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x14cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0xaa0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42469	0x43000	False	0.261452746035	COM executable for DOS	3.69971850757	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0xeb80	0xf000	False	0.221451822917	data	3.38138099515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x53000	0x2c20	0x3000	False	0.368815104167	data	4.63470137622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x14cf8	0x15000	False	0.0564778645833	data	0.900735057676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WININET.dll	FtpPutFileA, InternetConnectA, FtpSetCurrentDirectoryA, FtpCreateDirectoryA, InternetOpenA, InternetGetConnectedState, InternetCloseHandle
MFC42.DLL
MSVCRT.dll	__p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _except_handler3, _onexit, __dllonexit, ??1type_info@@UAE@XZ, getenv, strrchr, atoi, _ftol, time, difftime, fabs, floor, strcat, srand, __p__fmode, _stricmp, fopen, fwrite, fclose, strchr, memmove, strncpy, setlocale, isspace, _splitpath, _makepath, strcpy, _strlwr, strstr, wcscmp, strcmp, strncmp, malloc, free, sscanf, strlen, sprintf, _purecall, _CxxThrowException, memcpy, memset, __CxxFrameHandler, __set_app_type, rand, _itoa, wcslen, _setmbcp, _controlfp
KERNEL32.dll	CloseHandle, FlushViewOfFile, ReleaseMutex, WaitForSingleObject, CreateFileMappingA, MapViewOfFile, CreateMutexA, CreateFileA, DeviceIoControl, GetFileSize, MulDiv, lstrlenA, lstrcmpA, lstrcpynA, GlobalReAlloc, GlobalHandle, UnmapViewOfFile, LoadResource, LockResource, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, FindFirstFileA, GetComputerNameA, GetDateFormatA, GetTimeFormatA, GetVersionExA, OpenProcess, GetCurrentThreadId, WideCharToMultiByte, lstrlenW, MultiByteToWideChar, SetCurrentDirectoryA, SetFileTime, GetSystemTime, GetStartupInfoA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpyA, ReadFile, WriteFile, lstrcmpiA, DeleteFileA, GetTimeZoneInformation, SetLastError, Sleep, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FileTimeToSystemTime, SetFilePointer, GetFileInformationByHandle, SystemTimeToFileTime, GetLocalTime, CreateProcessA, lstrcatA, EnumResourceNamesA, CopyFileA, GetTempFileNameA, GetTempPathA, LocalFree, FormatMessageA, GetLastError, SizeofResource, RemoveDirectoryA, MoveFileA, CreateDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, GetModuleHandleA, ExpandEnvironmentStringsA, GetCurrentProcessId, FindClose, FindResourceA, FindNextFileA
USER32.dll	GetDlgItemInt, GetDlgItemTextA, MessageBoxA, SetForegroundWindow, FindWindowA, GetWindowTextA, SetClipboardViewer, PostQuitMessage, ChangeClipboardChain, SetMenuDefaultItem, EnableMenuItem, wsprintfA, RegisterHotKey, UnregisterHotKey, LoadImageA, FillRect, DrawTextA, PtInRect, CharLowerA, GetWindowThreadProcessId, AttachThreadInput, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, IsWindowUnicode, LoadStringA, CharUpperBuffA, RedrawWindow, SetWindowLongA, InvalidateRect, MessageBeep, GetDlgCtrlID, DdeFreeStringHandle, IsWindowVisible, GetClassNameA, SendMessageTimeoutA, IsWindow, RegisterWindowMessageA, FindWindowExA, DestroyIcon, AppendMenuA, GetMenuItemCount, GetMenuItemInfoA, GetSubMenu, DrawFrameControl, OffsetRect, DrawIconEx, DrawEdge, GetSystemMetrics, SystemParametersInfoA, GetKeyboardLayout, MapVirtualKeyExA, MapVirtualKeyA, GetKeyNameTextA, EnumChildWindows, GetWindowLongA, IsDlgButtonChecked, GetForegroundWindow, PostMessageA, DdeClientTransaction, DdeGetData, GetSysColor, GetCursorPos, WindowFromPoint, GetCapture, GetWindowRect, GetFocus, InflateRect, CopyRect, DrawFocusRect, SetTimer, GetParent, GetWindowTextLengthA, GetNextDlgTabItem, SetFocus, GetDlgItem, CreatePopupMenu, CheckMenuItem, DdeCreateStringHandleA, GetKeyboardLayoutList, DdeConnect, SendMessageA, EnableWindow, GetDesktopWindow, GetDC, ReleaseDC, DdeFreeDataHandle, DdeDisconnect, DdeInitializeA, DdeUninitialize, KillTimer, DefWindowProcA, IsChild, LoadIconA, SetCursor, LoadCursorA, GetKeyboardLayoutNameA, GetClientRect
GDI32.dll	BitBlt, SelectObject, CreateCompatibleDC, CreatePen, CreateFontIndirectA, Rectangle, GetTextColor, CreateFontA, GetDIBits, CreateCompatibleBitmap, GetTextExtentPoint32A, CreateSolidBrush, SetTextColor, SetBkMode, DeleteDC, CreateDCA, GetStockObject, GetPaletteEntries, GetObjectA, CreateDIBitmap, CreatePalette, RealizePalette, PatBlt, DeleteObject, CreateBitmap
comdlg32.dll	GetOpenFileNameA
ADVAPI32.dll	RegOpenKeyA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegDeleteValueA, RegCloseKey, RegDeleteKeyA, GetUserNameA, RegOpenKeyExA
SHELL32.dll	Shell_NotifyIconA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHFileOperationA, ShellExecuteA, ExtractIconExA
COMCTL32.dll	ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, InitCommonControlsEx
ole32.dll	CoUninitialize, CoInitialize, CoCreateInstance, CoFreeUnusedLibraries
OLEAUT32.dll	SysStringLen, VariantInit, VariantClear, SysAllocString, SysFreeString
urlmon.dll	URLDownloadToFileA
WSOCK32.dll	send, recv, closesocket, select, connect, WSACleanup, ntohl, WSAStartup, htons, ioctlsocket, gethostbyname, bind, WSASetLastError, socket, gethostname
MSVCP60.dll	??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ
RPCRT4.dll	UuidCreate, UuidToStringA, RpcStringFreeA

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:39:25.233937979 CET	51281	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:25.285471916 CET	53	51281	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:26.376651049 CET	49199	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:26.428426981 CET	53	49199	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:28.041127920 CET	50620	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:28.100127935 CET	53	50620	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:28.905944109 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:28.973481894 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:29.322885990 CET	60152	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:29.392126083 CET	53	60152	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:30.896219969 CET	57544	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:30.944962025 CET	53	57544	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:31.976865053 CET	55984	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:32.029597998 CET	53	55984	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:33.256689072 CET	64185	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:33.305219889 CET	53	64185	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:34.683229923 CET	65110	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:34.736665964 CET	53	65110	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:35.631702900 CET	58361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:35.680376053 CET	53	58361	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:36.559864044 CET	63492	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:36.617083073 CET	53	63492	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:37.945734978 CET	60831	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:37.994498968 CET	53	60831	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:39.115470886 CET	60100	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:39.164233923 CET	53	60100	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:39.239679098 CET	53195	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:39.288265944 CET	53	53195	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:40.260013103 CET	50141	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:40.308773994 CET	53	50141	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:41.080451965 CET	53023	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:41.129209995 CET	53	53023	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:42.294761896 CET	49563	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:42.354716063 CET	53	49563	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:43.181158066 CET	51352	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:43.232711077 CET	53	51352	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:44.147665024 CET	59349	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:44.196490049 CET	53	59349	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:45.087042093 CET	57084	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:45.135683060 CET	53	57084	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:58.153821945 CET	58823	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:58.212501049 CET	53	58823	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:05.136533022 CET	57568	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:05.185122967 CET	53	57568	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:18.742022038 CET	50540	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:18.799397945 CET	53	50540	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:27.437750101 CET	54366	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:27.509244919 CET	53	54366	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:46.809015036 CET	53034	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:46.857649088 CET	53	53034	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:52.416899920 CET	57762	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:52.480557919 CET	53	57762	8.8.8.8	192.168.2.3
Feb 23, 2021 17:41:21.967437983 CET	55435	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:41:22.018543959 CET	53	55435	8.8.8.8	192.168.2.3
Feb 23, 2021 17:41:23.779164076 CET	50713	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:41:23.839287043 CET	53	50713	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:21.578418970 CET	56132	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:21.638370037 CET	53	56132	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:22.242088079 CET	58987	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:22.302165985 CET	53	58987	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:22.883418083 CET	56579	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:22.943257093 CET	53	56579	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:23.421056032 CET	60633	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:23.480940104 CET	53	60633	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:24.035535097 CET	61292	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:24.092859030 CET	53	61292	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:24.596959114 CET	63619	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:24.646073103 CET	53	63619	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:25.192250013 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:25.252090931 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:25.980870962 CET	61946	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:26.029532909 CET	53	61946	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:27.071306944 CET	64910	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:27.119978905 CET	53	64910	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:27.595020056 CET	52123	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:27.652151108 CET	53	52123	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: executable.4420.exe PID: 5412 Parent PID: 5608

General

Start time:	17:39:33
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\executable.4420.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\executable.4420.exe'
Imagebase:	0x400000
File size:	438272 bytes
MD5 hash:	6192CFBE8E44360F7C0B6F696206F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exe PID: 2100 Parent PID: 5412

General

Start time:	17:39:35
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672
Imagebase:	0x7ff7488e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report executable.4420.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: executable.4420.exe PID: 5412 Parent PID: 5608

General

Analysis Process: WerFault.exe PID: 2100 Parent PID: 5412

General

Disassembly

Code Analysis