Play interactive tour

Edit tour

Analysis Report order.exe

Overview

General Information

Sample Name:	order.exe
Analysis ID:	378054
MD5:	d3a6bd4762c0c4a6f0c0fdf2d1f47915
SHA1:	2ec4b075252892291620c389c1b5803d7d89e8d6
SHA256:	521fe877cf3543f9f967c17fa046ca186cd931624d6c5c2f61c0363b29e750e7
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

order.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: D3A6BD4762C0C4A6F0C0FDF2D1F47915)

RegAsm.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 6512	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: order.exe	Virustotal: Detection: 57%	Perma Link
Source: order.exe	Metadefender: Detection: 35%	Perma Link
Source: order.exe	ReversingLabs: Detection: 39%

Source: order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: order.exe

Source: C:\Users\user\Desktop\order.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00B001AE

8_2_00B001AE

Source: order.exe, 00000000.00000000.317526946.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameREVISIONSARBEJDET.exe vs order.exe
Source: order.exe	Binary or memory string: OriginalFilenameREVISIONSARBEJDET.exe vs order.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01

Source: C:\Users\user\Desktop\order.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9AF78BB154A6012A.TMP

Jump to behavior

Source: order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: order.exe	Virustotal: Detection: 57%
Source: order.exe	Metadefender: Detection: 35%
Source: order.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
Source: C:\Users\user\Desktop\order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6512, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0569F push edi; retf	8_2_00B0569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B078F5 push ds; ret	8_2_00B078F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B052EB push edi; retf	8_2_00B05359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B05617 push edi; retf	8_2_00B05679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0567A push edi; retf	8_2_00B05679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0567A push edi; retf	8_2_00B0569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0537F push edi; retf	8_2_00B0537E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0535A push edi; retf	8_2_00B05359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0535A push edi; retf	8_2_00B0537E

Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B030B4	8_2_00B030B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B032BE	8_2_00B032BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02C83	8_2_00B02C83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02C85	8_2_00B02C85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02CE6	8_2_00B02CE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02ED9	8_2_00B02ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0300D	8_2_00B0300D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02E7C	8_2_00B02E7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03050	8_2_00B03050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03657	8_2_00B03657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03640	8_2_00B03640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03248	8_2_00B03248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02FB6	8_2_00B02FB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02DA6	8_2_00B02DA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B035F7	8_2_00B035F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02DFD	8_2_00B02DFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B031DB	8_2_00B031DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0373B	8_2_00B0373B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0372A	8_2_00B0372A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02910	8_2_00B02910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0311A	8_2_00B0311A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03176	8_2_00B03176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03752	8_2_00B03752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02D42	8_2_00B02D42

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002115779 second address: 0000000002115779 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAC50D99578h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, 0BE2h 0x00000022 pop ecx 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 cmp cx, DF6Fh 0x0000002c dec ecx 0x0000002d jmp 00007FAC50D995BAh 0x0000002f test bh, dh 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAC50D994C2h 0x0000003a jmp 00007FAC50D995B2h 0x0000003c test dx, ax 0x0000003f cmp eax, ebx 0x00000041 push ecx 0x00000042 cmp ebx, ebx 0x00000044 call 00007FAC50D995ECh 0x00000049 call 00007FAC50D99588h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002110F1E second address: 0000000002110F1E instructions:
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002114FD8 second address: 0000000002114FD8 instructions:
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 000000000211501A second address: 000000000211501A instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002115779 second address: 0000000002115779 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAC50D99578h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, 0BE2h 0x00000022 pop ecx 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 cmp cx, DF6Fh 0x0000002c dec ecx 0x0000002d jmp 00007FAC50D995BAh 0x0000002f test bh, dh 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAC50D994C2h 0x0000003a jmp 00007FAC50D995B2h 0x0000003c test dx, ax 0x0000003f cmp eax, ebx 0x00000041 push ecx 0x00000042 cmp ebx, ebx 0x00000044 call 00007FAC50D995ECh 0x00000049 call 00007FAC50D99588h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002115B71 second address: 0000000002115B71 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAC50D9BD0Bh 0x0000001d popad 0x0000001e jmp 00007FAC50D96A66h 0x00000020 test ecx, ecx 0x00000022 call 00007FAC50D96A6Eh 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002110F1E second address: 0000000002110F1E instructions:
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002114FD8 second address: 0000000002114FD8 instructions:
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 000000000211501A second address: 000000000211501A instructions:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00B030B4 rdtsc

8_2_00B030B4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\order.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00B030B4 rdtsc

8_2_00B030B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B02C83 mov eax, dword ptr fs:[00000030h]	8_2_00B02C83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03AC5 mov eax, dword ptr fs:[00000030h]	8_2_00B03AC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03AC7 mov eax, dword ptr fs:[00000030h]	8_2_00B03AC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03640 mov eax, dword ptr fs:[00000030h]	8_2_00B03640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0A5BF mov eax, dword ptr fs:[00000030h]	8_2_00B0A5BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B053F5 mov eax, dword ptr fs:[00000030h]	8_2_00B053F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B053F7 mov eax, dword ptr fs:[00000030h]	8_2_00B053F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B03B2A mov eax, dword ptr fs:[00000030h]	8_2_00B03B2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00B0910E mov eax, dword ptr fs:[00000030h]	8_2_00B0910E

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\order.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000

Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe'

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion311	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection112	LSASS Memory	Virtualization/Sandbox Evasion311	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
order.exe	58%	Virustotal		Browse
order.exe	35%	Metadefender		Browse
order.exe	40%	ReversingLabs	Win32.Backdoor.NetWiredRc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	378054
Start date:	30.03.2021
Start time:	12:48:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@4/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.6427707411140435
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	order.exe
File size:	126976
MD5:	d3a6bd4762c0c4a6f0c0fdf2d1f47915
SHA1:	2ec4b075252892291620c389c1b5803d7d89e8d6
SHA256:	521fe877cf3543f9f967c17fa046ca186cd931624d6c5c2f61c0363b29e750e7
SHA512:	ebd715d245431022ef636a6e05ab230fa89c042afb5cec3c72442f8cb7d91343e225196e38adfeeecd0d734212e5d1d1c57ef38720f5b62ad46ea9aa12f82d18
SSDEEP:	768:bX71wnkVPSNDFzZJc6NYHQ9kLfynrm3E23FVp/XPa3w80KwHIKv67CE023:rikkNDdTxu69m3E2jp/XPqwIKvfE02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...<.UP.....................`......L.............@................

File Icon


Icon Hash:	d230f2ec7064c410

Static PE Info

General
Entrypoint:	0x40134c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5055DD3C [Sun Sep 16 14:07:56 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3a1dabb0c190b6a5ea3886c39f544c6c

Entrypoint Preview

Instruction
push 0041434Ch
call 00007FAC50811AD3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, ch
sti
mov byte ptr [DCE13B38h], al
dec ebp
pushfd
xchg eax, edi
jmp 00007FAC50811B45h
jmp 00007FAC5112CF6Ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+75h], cl
je 00007FAC50811B55h
arpl word ptr [edi+72h], bp
outsb
imul ebp, dword ptr [esi+67h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
adc eax, 67F56310h
outsb
pop ebp
retf
inc ecx
mov ch, 15h
out 58h, al
cmp cl, byte ptr [edx]
retn ED8Dh
or ebp, dword ptr [ecx+739C372Eh]
dec ebp
adc byte ptr [edi], 00000070h
mov ah, CDh
scasb
adc bl, byte ptr [33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor eax, ED00012Fh
sub eax, dword ptr [ecx]
add byte ptr [eax], al
or dword ptr [eax], eax
dec eax
je 00007FAC50811B48h
outsb
jnc 00007FAC50811B1Bh
add byte ptr [41000C01h], cl
inc esi
dec eax
inc ecx
inc ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19114	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x3ef4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18530	0x19000	False	0.298359375	data	4.99321635473	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x194c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x3ef4	0x4000	False	0.286865234375	data	3.29642223118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1d84c	0x26a8	data
RT_ICON	0x1cba4	0xca8	data
RT_ICON	0x1c45c	0x748	data
RT_GROUP_ICON	0x1c42c	0x30	data
RT_VERSION	0x1c150	0x2dc	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	REVISIONSARBEJDET
FileVersion	9.04.0012
CompanyName	Hurricane MUX, Inc.
Comments	Hurricane MUX
ProductName	Hurricane MUX
ProductVersion	9.04.0012
FileDescription	Hurricane MUX
OriginalFilename	REVISIONSARBEJDET.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: order.exe PID: 6496 Parent PID: 5864

General

Start time:	12:49:10
Start date:	30/03/2021
Path:	C:\Users\user\Desktop\order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\order.exe'
Imagebase:	0x400000
File size:	126976 bytes
MD5 hash:	D3A6BD4762C0C4A6F0C0FDF2D1F47915
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6512 Parent PID: 6496

General

Start time:	12:50:26
Start date:	30/03/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\order.exe'
Imagebase:	0x6c0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6528 Parent PID: 6512

General

Start time:	12:50:27
Start date:	30/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsm.exe PID: 6512 Parent PID: 6496 RegAsm.exeCOMMON

Executed Functions

Non-executed Functions

Function 00B02C83, Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a21252f47502316a0322fa6913fed9b5363993eb4e5c0c21065afb75c01e38e
Instruction ID: c31cc839218c5a902b72340046f26c5b4165185fddc5991a5021df4ee16add8e
Opcode Fuzzy Hash: 9a21252f47502316a0322fa6913fed9b5363993eb4e5c0c21065afb75c01e38e
Instruction Fuzzy Hash: 494268B0740306AFEB209F24CC95BE67BE5FF15750F644265EE8A972C1D775A884CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B02910, Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada610b311eb2125d139f61e82907521c5e43b3a707f7405210b543e98cb292e
Instruction ID: 35403db50e27db7239387a260498ea3afd33c71969f3b5c59b0cb20ebe206cb0
Opcode Fuzzy Hash: ada610b311eb2125d139f61e82907521c5e43b3a707f7405210b543e98cb292e
Instruction Fuzzy Hash: 49B122B0680209BFEF301E24CC95BEA3FA6EF41710FA442A5FF855B1C1D3B598989B45

Uniqueness

Uniqueness Score: -1.00%

Function 00B02C85, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b74943d21dcbe6dde8a3d5264569d1e26cf1a2fd0f75119c5bc2eba5d6e6a
Instruction ID: 29d62c384ee33d5ec402581071000dedb1994d5b524840d40f87185772e91901
Opcode Fuzzy Hash: 750b74943d21dcbe6dde8a3d5264569d1e26cf1a2fd0f75119c5bc2eba5d6e6a
Instruction Fuzzy Hash: 80A145B1704603AFE3119F24C994BD6BBE5FF19790F648264EC89933C1E775A984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B02CE6, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e131a0de2e99a005d14403dd229af2d1b05a19a6143be7fd4ddcab48d04a00
Instruction ID: d92fca7607a14175abdf6ae173655aa37410ac751cc31620f82dee99d0e743d3
Opcode Fuzzy Hash: 31e131a0de2e99a005d14403dd229af2d1b05a19a6143be7fd4ddcab48d04a00
Instruction Fuzzy Hash: E4A131B1700602AFE3519F24C994BD6BBE5FF19790F648264EC89932C0E779A994CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B02D42, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cc55196c425e7d0a21f27430f2c6ceca5d0879419415ba5548e25556ac244d
Instruction ID: 43fab351f5b66616952477f7c6b014cbc809d6792c439305f48aa44fa3d3f042
Opcode Fuzzy Hash: 91cc55196c425e7d0a21f27430f2c6ceca5d0879419415ba5548e25556ac244d
Instruction Fuzzy Hash: 899155B0704603AFE3519F28C9D4BD2BBE5FF19750F648264EC89832C0E775A994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B02DFD, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe83c26412f846982b6027dec21582f1d87a91ad416afe7e40378bf9f2ef2743
Instruction ID: 265bf28d4c51e60501d59b17531a59e0237abdcdf506386f6d37297109a4fb78
Opcode Fuzzy Hash: fe83c26412f846982b6027dec21582f1d87a91ad416afe7e40378bf9f2ef2743
Instruction Fuzzy Hash: F3917771704603AFE3519F38C9D8BD6BBE5FF19790F648268E889832C1E775A984C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B02DA6, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5961cac15048013945762b07c682ff5f83327bb096919ae7088763c5f2484e
Instruction ID: c7d3c4829a0b99f5a08a96d885bd23f9fc503c1f07ed701770dee0fb3b32df90
Opcode Fuzzy Hash: ce5961cac15048013945762b07c682ff5f83327bb096919ae7088763c5f2484e
Instruction Fuzzy Hash: C8916671704603AFE3559F28C9D4BD2BBE5FF19790F648264EC89832C0E775A994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B02E7C, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d11152ea3f1caa2dbf074f80edfdfb12655a445cdc3425f38512e1b15b24b
Instruction ID: 02a67bda4fcad5169c8aeb27fedeaa5fae3de207287229b82e5a9ef2349d4b9f
Opcode Fuzzy Hash: 440d11152ea3f1caa2dbf074f80edfdfb12655a445cdc3425f38512e1b15b24b
Instruction Fuzzy Hash: 7F715871704603AFD3559F28CD98BD2BBE8FF19790F248264EC8A932C1E765AD84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B02ED9, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ea191ef1de8d9f3b893918ebfe93e7d7c3040f87808e696f34a9f8667d816f
Instruction ID: 2d434696fdb96f29f8bef321d16dc21354070cec9dd2d2563cbdfc4169468b9c
Opcode Fuzzy Hash: 65ea191ef1de8d9f3b893918ebfe93e7d7c3040f87808e696f34a9f8667d816f
Instruction Fuzzy Hash: 5F718C71704603AFD3559F28CD987D6BBE8FF19790F248264EC8A932C1E7669D84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B02FB6, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10668dca9bcfdc25fbf6469bfc3970515b1ef33375a116cf37bbc848a2583bc0
Instruction ID: 4bf4893c16999328a937dee5218adfd5686478141085ce88be850ca9bef4de19
Opcode Fuzzy Hash: 10668dca9bcfdc25fbf6469bfc3970515b1ef33375a116cf37bbc848a2583bc0
Instruction Fuzzy Hash: 87517D713046039FD3659F28DC98BD6BBE9FF19790F248264EC8A932C1E7669D84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B0300D, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11c91d0e4c746a69116958870d50b56c1013d2afa4f2d827d0f9f9c390da219
Instruction ID: 8800ff46882e3c48e08548dff797a9f4663a0a4c3ee5533b3fb3db7881b077c9
Opcode Fuzzy Hash: c11c91d0e4c746a69116958870d50b56c1013d2afa4f2d827d0f9f9c390da219
Instruction Fuzzy Hash: 04515B713046039FD3559F28DC98BD6BBE9FF19750F288264EC8A932C1E765AD84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B03050, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e017994e48563e7eb8c81c71aaafe1fb324ea0e9f2a2c2561d403994d5468df6
Instruction ID: cd8f26a0bb4c40e0a83502100cf3db0c74d52cc78c9c879cd8633852cef51c10
Opcode Fuzzy Hash: e017994e48563e7eb8c81c71aaafe1fb324ea0e9f2a2c2561d403994d5468df6
Instruction Fuzzy Hash: D8515A71704602AFD3559F38DC98BE6BBE8FF19760F688364E886932C1D725AD84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B030B4, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339eab253e9383a37a0d8acb29fb990e702b196880ec33e8305f73d32f69ae64
Instruction ID: d670bbd30b1c0ad73e9bb82e40e1eb356ca087b8b2e8d40a038c10d6e74f5a34
Opcode Fuzzy Hash: 339eab253e9383a37a0d8acb29fb990e702b196880ec33e8305f73d32f69ae64
Instruction Fuzzy Hash: A5515771704602AFD3259F38C8D8BE6BBE4FF19760F648364E88A932C1D721A984C780

Uniqueness

Uniqueness Score: -1.00%

Function 00B0311A, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f710f450a8890e88aa6441ba2b4db90d8666bea28132eee3000cdbe3205654fc
Instruction ID: cbf65110a472c39c99a442a9a6c4b145b39a693220bd73153323074a3e5b132a
Opcode Fuzzy Hash: f710f450a8890e88aa6441ba2b4db90d8666bea28132eee3000cdbe3205654fc
Instruction Fuzzy Hash: D0515871704602DFD3259F38D8D8BE6BBE8FF19750F688264E88A932D1D731A984C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B03657, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac1932f81d64b61a0d4707a4d47d166b8f8d7309377ec0d5fee75e7e79f25c4
Instruction ID: b097843b76c60350f92b38dfd2c63f6403b52c2840d05231d5abdfa15f2c0201
Opcode Fuzzy Hash: aac1932f81d64b61a0d4707a4d47d166b8f8d7309377ec0d5fee75e7e79f25c4
Instruction Fuzzy Hash: 95418DB1B042029FD7245A2CCC98BE5AFEDBF097A0F6883A5FCD6932C2D71199858350

Uniqueness

Uniqueness Score: -1.00%

Function 00B03176, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee74b852393d3fc54fe63e899f653a3061fe582935e051c7047e879ace011d1
Instruction ID: 006ccde99d60aeddbb0d483878dcf17fbdeb132dcca3fc1f55ae4adcda590cb3
Opcode Fuzzy Hash: fee74b852393d3fc54fe63e899f653a3061fe582935e051c7047e879ace011d1
Instruction Fuzzy Hash: 24416871304602AFD315DF38D9D8BD6BBE8FF19750F688254E88A972C1E735A984C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B03640, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc12ccec525d0dc4e2f3077acb105ecc787c5ce9123bded2dec0f7ef74ec85e
Instruction ID: 7bae9a25f2fb69384e8888ab919e2a377366f64b7d24c0f05bf154b8d2ff1277
Opcode Fuzzy Hash: ccc12ccec525d0dc4e2f3077acb105ecc787c5ce9123bded2dec0f7ef74ec85e
Instruction Fuzzy Hash: 3141CCB1B40202AFD7146A1CCC99BE57BEDBF05BA0F6843A4FC56932C2DB15ED898750

Uniqueness

Uniqueness Score: -1.00%

Function 00B03752, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c1f08ce8d449c95b65992a4c8293e9ace983a0f3520c0bf55450162be59adc
Instruction ID: 3163d8890ca5c5c25736e0bbbd50b4750ffa8521700f1b654d1cee13c27789d2
Opcode Fuzzy Hash: 41c1f08ce8d449c95b65992a4c8293e9ace983a0f3520c0bf55450162be59adc
Instruction Fuzzy Hash: 7E418272B442025BE7205A2CCC55BE66BEDAF097E0F688794FCD6A31C2D715D9864350

Uniqueness

Uniqueness Score: -1.00%

Function 00B03AC5, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2010a1748e06e163f0a57d2999efe5e2451dcfab90d391a0e7aed41466940c2
Instruction ID: 46ab4cc209a7ad6543d15b312dc6086e4dbcd4d6b7362e2e129bd15b8d1ee950
Opcode Fuzzy Hash: b2010a1748e06e163f0a57d2999efe5e2451dcfab90d391a0e7aed41466940c2
Instruction Fuzzy Hash: FA412630244301DEFB355E54CDADBEA3BE8FF01790FA04199FD869B1D2D7A48981DA06

Uniqueness

Uniqueness Score: -1.00%

Function 00B031DB, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c395d550fffd3788d4e7b3b4886a326520dd893dc099ebcc21303339019cc3a5
Instruction ID: 9293d17e186e2147567afb795f4c318a65a2bf6b86f36f5dfa0bc59bc854c486
Opcode Fuzzy Hash: c395d550fffd3788d4e7b3b4886a326520dd893dc099ebcc21303339019cc3a5
Instruction Fuzzy Hash: D54127723046129FD325AF38D8D8BD6BBE8FF09750F688650E886972C1D7719A85C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B0372A, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8d148ca140449b5c695096cca0d26badf1a1eb379655452c964de5f57f2f9c
Instruction ID: 89ffb1d607067694575d3b0df395375da08a31c877732edd5afbc986f71cd237
Opcode Fuzzy Hash: 8f8d148ca140449b5c695096cca0d26badf1a1eb379655452c964de5f57f2f9c
Instruction Fuzzy Hash: 8131DFB1B402029FE7145A1CCC99BE53BDDBF05BA0F6443A4FC9A931C2DB14DD854750

Uniqueness

Uniqueness Score: -1.00%

Function 00B0373B, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5b7ba62093112f84671d5f1f2733a67402d642c0843f3532bc19287b3f7d8c
Instruction ID: 3d39836cdb4721214868ceee5280ddb0ec5d32d39443b72d7ad555ed5968841d
Opcode Fuzzy Hash: 4d5b7ba62093112f84671d5f1f2733a67402d642c0843f3532bc19287b3f7d8c
Instruction Fuzzy Hash: 3C31BE71B402069FE7245A1CCC99BE62BDDBF057A0F6843A4FC9AA31C2DB15DD854750

Uniqueness

Uniqueness Score: -1.00%

Function 00B03248, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3824513f057b720d1ddb3ada45f6d73a82dc4a79b288181ad01874bec53b174
Instruction ID: addceb0b41dfb72414621bc31e766511c456c15f10ed76e7831242048403ebd4
Opcode Fuzzy Hash: d3824513f057b720d1ddb3ada45f6d73a82dc4a79b288181ad01874bec53b174
Instruction Fuzzy Hash: 663135713046029FD315AF38D8D8BE6BBD8FF19790F548260E88A87281D7719A80C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B001AE, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f490472483e65975f9725504290edc13ddd5a8874fe6675da86757f2763fbe1
Instruction ID: ce3687d986e7589ec29ccb64f1c6235686e834dd55638f8960cfc11f2fb6b003
Opcode Fuzzy Hash: 3f490472483e65975f9725504290edc13ddd5a8874fe6675da86757f2763fbe1
Instruction Fuzzy Hash: FD41EA6666D1C307D6362E7C70909F2EFF58A0E2E6B59FD46D1C56B606C032828B9294

Uniqueness

Uniqueness Score: -1.00%

Function 00B03AC7, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3485b9d94cace0a9ba691c53ac10b88503710397def5ca9fc89c18e5f723c90e
Instruction ID: 96e83ad63aa00c40697cf8790ded3371c3408a1593fb11d51f2ae16e2d91b925
Opcode Fuzzy Hash: 3485b9d94cace0a9ba691c53ac10b88503710397def5ca9fc89c18e5f723c90e
Instruction Fuzzy Hash: 773137342083419FFB351F6898B9BE5BBE9EF05794F948199EDC66B2C2C3718582CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00B032BE, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bb8671ea94ccccf6eaebc98e37ba7ad00309e0774a8c69ceeed914a06b3236
Instruction ID: f07a09616c73e7083582460b564e07bbf2a7450e9195504d86c9979f6cffd543
Opcode Fuzzy Hash: e7bb8671ea94ccccf6eaebc98e37ba7ad00309e0774a8c69ceeed914a06b3236
Instruction Fuzzy Hash: 5A3127723046129BD315EF38E8D4BE6FBD8FF09790F188660E88587381D7219981C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B035F7, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b94aa4bf36043c573373a2e5f74c6a9aea2ae38425ecfffd714011241bb375
Instruction ID: 8a9ec73dbbca28199de9aac8a7982c8b2401352259ebd7a4fdce4b45e17adee6
Opcode Fuzzy Hash: c8b94aa4bf36043c573373a2e5f74c6a9aea2ae38425ecfffd714011241bb375
Instruction Fuzzy Hash: DD314D723046029BD315DF38D8D8BE5FBD4FF0A764F298651D886873C1D7219984C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B03B2A, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f72c670c06f227804d527cb68c8e65a38be6f070e29ad4b2ff94a7fdab0a89e
Instruction ID: d2c43bfaaec700ed6c4cd49664af0e9870c2e545f318171051077b293f284b7b
Opcode Fuzzy Hash: 1f72c670c06f227804d527cb68c8e65a38be6f070e29ad4b2ff94a7fdab0a89e
Instruction Fuzzy Hash: 972149342443019EFB301F6498BEFE56BE9EF05790F908196FD866B1D2C371C581C501

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A5BF, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7a8fad28c16fc5afc1bec0f477fa543c4e7aa520d283259ccaa1788dbfdab1
Instruction ID: 699369d57e6c98d4e57e6e1d6e7dfa78a206d8a18625d1af853e33d3a1342b68
Opcode Fuzzy Hash: 8b7a8fad28c16fc5afc1bec0f477fa543c4e7aa520d283259ccaa1788dbfdab1
Instruction Fuzzy Hash: FFF04975304301CFDB14DA2486D4BA67BF5AB58340FAACCD6DC43CB2A1E720DC81AA03

Uniqueness

Uniqueness Score: -1.00%

Function 00B053F7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8542aaf9cbd47a7007c3025fc132e05864575f8a2cec6aa52193f61f8de27c41
Instruction ID: ba4b390f7523d86a04e7217b9d4a081e30f585f13f56f73475192c90967ddd72
Opcode Fuzzy Hash: 8542aaf9cbd47a7007c3025fc132e05864575f8a2cec6aa52193f61f8de27c41
Instruction Fuzzy Hash: C0F07DB762A0C247E221AF7CA090DE1EBB59F1D1EAB85FD85D1C59F70AC132D587C250

Uniqueness

Uniqueness Score: -1.00%

Function 00B053F5, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9945d6da1abe1f909101516774e1b70b487e257c6ebcfb776b24c7cfae7c9ef
Instruction ID: 254c6f6138437ff477146be9c1b069763d877bff79210f1858ffa2c569506d2e
Opcode Fuzzy Hash: d9945d6da1abe1f909101516774e1b70b487e257c6ebcfb776b24c7cfae7c9ef
Instruction Fuzzy Hash: 71C04CB62029818BEB55DA08C491B5473A1FB54645B9404A0D442CBB29D214E980C940

Uniqueness

Uniqueness Score: -1.00%

Function 00B0910E, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.582745540.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cc478e0263cfdd16efae1d5cb9c344b669032ff8c6a30c4754065326eabbcc
Instruction ID: 5f8ab656faed41e94178dc536784a036ea580adb9ebd9207cae0f09e09d914ef
Opcode Fuzzy Hash: f1cc478e0263cfdd16efae1d5cb9c344b669032ff8c6a30c4754065326eabbcc
Instruction Fuzzy Hash: 82C04878755682DFDA59CA08C188FA077A0BB08B80FE205C0E8029BB52C229E8409A00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report order.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: order.exe PID: 6496 Parent PID: 5864

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 6512 Parent PID: 6496

General

Chronological Activities

Analysis Process: conhost.exe PID: 6528 Parent PID: 6512

General

Chronological Activities