Windows Analysis Report mormanti.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_02DC2871 |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | Network traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
E-Banking Fraud: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File created: | Jump to behavior |
Source: | File deleted: | Jump to behavior |
Source: | Code function: | 0_2_02DB23AF | |
Source: | Code function: | 0_2_02DB253B | |
Source: | Code function: | 0_2_02DC2BFC | |
Source: | Code function: | 0_2_02DC2A70 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Command line argument: | 0_2_00C121FD | |
Source: | Command line argument: | 0_2_00C121FD | |
Source: | Command line argument: | 2_2_00C121FD | |
Source: | Command line argument: | 2_2_00C121FD |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00C12D9C | |
Source: | Code function: | 0_2_00C13134 | |
Source: | Code function: | 2_2_00C12D9C | |
Source: | Code function: | 2_2_00C13134 |
Persistence and Installation Behavior: |
---|
Drops executables to the windows directory (C:\Windows) and starts them | Show sources |
Source: | Executable created and started: | Jump to behavior |
Source: | PE file moved: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) | Show sources |
Source: | Evasive API call chain: | graph_0-6572 |
Source: | Thread sleep time: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Last function: |
Source: | File Volume queried: | Jump to behavior |
Source: | Code function: | 0_2_02DC2871 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00C1272C |
Source: | Code function: | 0_2_00C11FF2 | |
Source: | Code function: | 0_2_02DB304D | |
Source: | Code function: | 0_2_02DB0467 | |
Source: | Code function: | 0_2_02DB277C | |
Source: | Code function: | 0_2_02DC370E | |
Source: | Code function: | 0_2_02DC2E3D | |
Source: | Code function: | 2_2_00C11FF2 |
Source: | Code function: | 0_2_00C1272C | |
Source: | Code function: | 2_2_00C1272C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00C12FF8 |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Changes security center settings (notifications, updates, antivirus, firewall) | Show sources |
Source: | Key value created or modified: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | DLL Side-Loading1 | Process Injection2 | Masquerading121 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery41 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion2 | Security Account Manager | Virtualization/Sandbox Evasion2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol11 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information1 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | System Information Discovery24 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | File Deletion1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
75% | Virustotal | Browse | ||
82% | ReversingLabs | Win32.Trojan.Emotet | ||
100% | Avira | TR/Kryptik.vhuzo |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1138886 | Download File | ||
100% | Avira | HEUR/AGEN.1138886 | Download File | ||
100% | Avira | HEUR/AGEN.1138886 | Download File | ||
100% | Avira | HEUR/AGEN.1138886 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| low | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
149.62.173.247 | unknown | Spain | 50926 | INFORTELECOM-ASES | true | |
191.182.6.118 | unknown | Brazil | 28573 | CLAROSABR | true | |
104.131.103.37 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
204.225.249.100 | unknown | Canada | 22652 | FIBRENOIRE-INTERNETCA | true | |
94.176.234.118 | unknown | Lithuania | 62282 | RACKRAYUABRakrejusLT | true | |
70.32.84.74 | unknown | United States | 398110 | GO-DADDY-COM-LLCUS | true | |
177.73.0.98 | unknown | Brazil | 53184 | INBTelecomEIRELIBR | true | |
12.162.84.2 | unknown | United States | 7018 | ATT-INTERNET4US | true | |
116.125.120.88 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
58.171.153.81 | unknown | Australia | 1221 | ASN-TELSTRATelstraCorporationLtdAU | true | |
170.81.48.2 | unknown | Brazil | 263634 | TACNETTELECOMBR | true | |
219.92.13.25 | unknown | Malaysia | 4788 | TMNET-AS-APTMNetInternetServiceProviderMY | true | |
202.62.39.111 | unknown | Cambodia | 23673 | ONLINE-ASCogetelOnlineCambodiaISPKH | true | |
209.236.123.42 | unknown | United States | 393398 | ASN-DISUS | true | |
213.181.91.224 | unknown | Spain | 49000 | TELECABLEJUMILLA-ASES | true | |
5.196.35.138 | unknown | France | 16276 | OVHFR | true | |
187.162.248.237 | unknown | Mexico | 6503 | AxtelSABdeCVMX | true | |
189.2.177.210 | unknown | Brazil | 4230 | CLAROSABR | true | |
93.151.186.85 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
217.199.160.224 | unknown | United Kingdom | 20738 | GD-EMEA-DC-LD5GB | true | |
114.109.179.60 | unknown | Thailand | 17552 | TRUE-AS-APTrueInternetCoLtdTH | true | |
143.0.87.101 | unknown | Brazil | 263998 | MMTelecomBR | true | |
186.103.141.250 | unknown | Chile | 15311 | TelefonicaEmpresasCL | true | |
77.90.136.129 | unknown | Germany | 42821 | RAPIDNET-DEHaunstetterStr19DE | true | |
181.129.96.162 | unknown | Colombia | 13489 | EPMTelecomunicacionesSAESPCO | true | |
50.28.51.143 | unknown | United States | 32244 | LIQUIDWEBUS | true | |
68.183.190.199 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
94.206.45.18 | unknown | United Arab Emirates | 15802 | DU-AS1AE | true | |
190.17.195.202 | unknown | Argentina | 10318 | TelecomArgentinaSAAR | true | |
73.116.193.136 | unknown | United States | 7922 | COMCAST-7922US | true | |
82.76.111.249 | unknown | Romania | 8708 | RCS-RDS73-75DrStaicoviciRO | true | |
189.194.58.119 | unknown | Mexico | 13999 | MegaCableSAdeCVMX | true | |
80.249.176.206 | unknown | Russian Federation | 31376 | SMART-ASRU | true | |
145.236.8.174 | unknown | Hungary | 5483 | MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU | true | |
191.99.160.58 | unknown | Ecuador | 27738 | EcuadortelecomSAEC | true | |
217.13.106.14 | unknown | Hungary | 12301 | INVITECHHU | true | |
147.91.184.91 | unknown | Serbia | 13092 | UB-ASRS | true | |
68.183.170.114 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
81.198.69.61 | unknown | Latvia | 12578 | APOLLO-ASLatviaLV | true | |
177.66.190.130 | unknown | Brazil | 262502 | FLYLinkTelecomBR | true | |
177.72.13.80 | unknown | Brazil | 52814 | INTERNETPLAYLTDABR | true | |
61.92.159.208 | unknown | Hong Kong | 9269 | HKBN-AS-APHongKongBroadbandNetworkLtdHK | true | |
178.79.163.131 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
46.28.111.142 | unknown | Czech Republic | 197019 | WEDOSCZ | true | |
77.55.211.77 | unknown | Poland | 15967 | NAZWAPL | true | |
190.163.31.26 | unknown | Chile | 22047 | VTRBANDAANCHASACL | true | |
137.74.106.111 | unknown | France | 16276 | OVHFR | true | |
172.104.169.32 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
72.47.248.48 | unknown | United States | 31815 | MEDIATEMPLEUS | true | |
181.120.79.227 | unknown | Paraguay | 23201 | TelecelSAPY | true | |
89.32.150.160 | unknown | Romania | 43927 | HOSTERIONRO | true | |
104.131.41.185 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
186.250.52.226 | unknown | Brazil | 262807 | RedfoxTelecomunicacoesLtdaBR | true | |
87.106.46.107 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
177.144.135.2 | unknown | Brazil | 27699 | TELEFONICABRASILSABR | true | |
217.160.182.191 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
201.213.156.176 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
83.169.21.32 | unknown | Germany | 8972 | GD-EMEA-DC-SXB1DE | true | |
70.32.115.157 | unknown | United States | 31815 | MEDIATEMPLEUS | true | |
213.60.96.117 | unknown | Spain | 12334 | Galicia-SpainES | true | |
212.231.60.98 | unknown | Spain | 15704 | AS15704ES | true | |
181.36.42.205 | unknown | Dominican Republic | 28118 | ALTICEDOMINICANASADO | true | |
104.131.103.128 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
190.190.148.27 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
190.6.193.152 | unknown | Honduras | 27884 | CABLECOLORSAHN | true | |
51.255.165.160 | unknown | France | 16276 | OVHFR | true | |
212.71.237.140 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
185.94.252.27 | unknown | Germany | 197890 | MEGASERVERS-DE | true | |
2.47.112.152 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
104.236.161.64 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
192.241.143.52 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
192.241.146.84 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
45.161.242.102 | unknown | Brazil | 268479 | AntonioMarcosdosSantos-MEBR | true | |
66.228.49.173 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
190.147.137.153 | unknown | Colombia | 10620 | TelmexColombiaSACO | true | |
82.196.15.205 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true | |
111.67.12.221 | unknown | Australia | 55803 | DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU | true | |
177.74.228.34 | unknown | Brazil | 263652 | CMDNETInternetInformaticaLtdaBR | true | |
91.219.169.180 | unknown | Ukraine | 52191 | LOCALKA-NET-AS | true | |
185.94.252.12 | unknown | Germany | 197890 | MEGASERVERS-DE | true |
Private |
---|
IP |
---|
127.0.0.1 |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 449959 |
Start date: | 16.07.2021 |
Start time: | 17:05:22 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | mormanti.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@17/8@0/81 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
17:06:35 | API Interceptor | |
17:07:51 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
149.62.173.247 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
104.131.103.37 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
204.225.249.100 | Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLAROSABR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DIGITALOCEAN-ASNUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
INFORTELECOM-ASES | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 0.5918524708219107 |
Encrypted: | false |
SSDEEP: | 6:b8ek1GaD0JOCEfMuaaD0JOCEfMKQmDjjAl/gz2cE0fMbhEZolrRSQ2hyYIIT:b8NGaD0JcaaD0JwQQjjAg/0bjSQJ |
MD5: | 9EB1288EAAF777CF31B19FC8052D9DDD |
SHA1: | D0366555B0FF7D5F716C215B7253373231FE1F4B |
SHA-256: | 1AB4A321F9958011E0E2AA7DF522A3567EFC956F36513C512EEA3BBA3F7E2F22 |
SHA-512: | E916EAE79313765EBED1A5A407594EEBAD546A7963C3E6E96FBC869B431BB491C40E973D58FC69D1D9977855B8FAC8002D1C435E855378A1508DF71343C6752E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.09325297057693027 |
Encrypted: | false |
SSDEEP: | 6:agAzwl/+z6RIE11Y8TRXuo/Xx1qKIgAzwl/+z6RIE11Y8TRXuo/Xx1qK:aX0++O4blj/h1qKIX0++O4blj/h1qK |
MD5: | 01DC05B086437F44DADEBE72F42AE6E4 |
SHA1: | 5ED9C40BDF29C734FDB24E80573BFAB46285828A |
SHA-256: | 88194003F7E242AECDD75F00695B39A37441BF6C57A9812A12F9F7735BD43BA3 |
SHA-512: | C1CFDEBA81E79AC3C92B208FD5E625E9625D853F518F0114FB6DF66EA1530A87F10A125A99E9E6FF3E6556568B0DC84B4C356173A2362B656E7B81698EDAB9B3 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8192 |
Entropy (8bit): | 0.10801090337418041 |
Encrypted: | false |
SSDEEP: | 3:kE17EvGZ0i0lcSXl/bJdAtizjlD/ill:kE1iGZ0hlc8t4U1G |
MD5: | 518B806DEB454B700E818B345A95C61C |
SHA1: | 53C2FB38B4AB68FC2414D36920212E45895260FB |
SHA-256: | 6F4DEAA5EDE225FB203717C88BAE62EB1EE0789B07C1548185C9338FE5A29C7A |
SHA-512: | D17D2469510FA2AA3F080A8EF6C8D2657E0CB6AE65D5930FD08BB94A32CB5C2E0F7844FB991FDED7885E5D209269F718A76844CEA288CBBCBAC71EFA55C18F27 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11017776630826032 |
Encrypted: | false |
SSDEEP: | 12:265Xm/Ey6q99954Klq3qQ10nMCldimE8eawHjcmj:26kl68wLyMCldzE9BHjc8 |
MD5: | D8C933C4D3562115CDA8EC19E4C40BAB |
SHA1: | B56A16C4CCB98D25D5DFE0F211C87C28F6BAE8D5 |
SHA-256: | FAE8B7380E73264FFA75864B9F212C841A62D927153EC739D80DEDB876A482BB |
SHA-512: | E75F13F453D4619F7722B799A8CAA47EF12184BFF7394309A12DEF148B5BA7DB20D6EA2A512B27B86B380BF6DE624F68B2AF8408D90F356517888C8524EAD3CA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11280925407263487 |
Encrypted: | false |
SSDEEP: | 12:UrXm/Ey6q999549r1z1miM3qQ10nMCldimE8eawHza1miI5Z:/l684h1tMLyMCldzE9BHza1tIn |
MD5: | 9D91B6F5D908F8FA9457289284D99D90 |
SHA1: | 7FA4F2CC6A51660A2767B533B9629484DD209C00 |
SHA-256: | 348FCA3B1B0151D5A3E0AB8F2EC51DD4404ABDB779CB3319255F5C4B7C7E77CF |
SHA-512: | 110A3DEE834FB3E03DA0152E809F2CD0A50294CFF62DB8CA2C9E96F9324729840EB44DCCC46D2815F50D14ED61A67CFBE06D5F2550A8FF48DEE6A0F43087CB09 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11273590727037369 |
Encrypted: | false |
SSDEEP: | 12:U0Xm/Ey6q99954iH0z1mK2P3qQ10nMCldimE8eawHza1mKQe:Al68S1iPLyMCldzE9BHza13 |
MD5: | 0573B48E6E823B072B981744C4EC755A |
SHA1: | B0AC5879397474AF40AEE8E06E193A277A89D30C |
SHA-256: | CAFED707C6D08E422CC295DD756129A2BDA528D830225142ABD5F4862CEAF3DC |
SHA-512: | 33F8D03E6DAC4E202ECAFE1D7491E131E8496D25FB8A0DF090EF7397B45350B9DEE82D286BA184EBD0DC319D92CC817AFFCB7CA5B3D1A42340A6156DC78C4F97 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55 |
Entropy (8bit): | 4.306461250274409 |
Encrypted: | false |
SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
File Type: | |
Category: | modified |
Size (bytes): | 906 |
Entropy (8bit): | 3.152601704217562 |
Encrypted: | false |
SSDEEP: | 12:58KRBubdpkoF1AG3rABD2iCk9+MlWlLehB4yAq7ejCpBD2iP:OaqdmuF3rg2iV+kWReH4yJ7M42iP |
MD5: | 2CA5726DE33B7191699EBFEEC4F7210C |
SHA1: | 0613DF20921345EFB902DFE198764AEF58BF6C9E |
SHA-256: | 00CFCED40E9C57E6C01FE432F6C4470A9330DE3DD47676C30294BB085A9EC9D5 |
SHA-512: | 9D63083245C34A426097B74D9EF78CE8105CAA5B4CF4586F751C02774B91A2E79873A5B71F9C9694C22325031D6F97B4C617EF223DDC16884F18488E5F5A269A |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.359134894428257 |
TrID: |
|
File name: | mormanti.exe |
File size: | 102912 |
MD5: | 6c94edfea6e5ee001b00122c9d01bd8a |
SHA1: | a8d0cc5088ee86c2be77afe157695d12e951f369 |
SHA256: | 0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e |
SHA512: | 8e4f44f2680feb8fa564a26b3f283ce360d966e01b1585686e6eb23900f5e09d39e3b62b154604972091cc928f99f835ec2e042a5c06d7df29b8c225e3db447f |
SSDEEP: | 1536:jw9fHY8jOMiep0McpHa74EuSFGMpJ7q06VSE:srOMiep0ZpeuQJmpSE |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$~..J-..J-..J-:..-..J-...-..J-...-..J-...-..J-...-..J-.61-..J-..K-..J-...-..J-...-..J-...-..J-Rich..J-....................... |
File Icon |
---|
Icon Hash: | 9a8a808292808000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x402b60 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5F325807 [Tue Aug 11 08:34:15 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | c75ae73417f3d8c7926ca2cc9989d6f5 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007FA204A14198h |
jmp 00007FA204A13A3Ch |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [004061D8h], eax |
mov dword ptr [004061D4h], ecx |
mov dword ptr [004061D0h], edx |
mov dword ptr [004061CCh], ebx |
mov dword ptr [004061C8h], esi |
mov dword ptr [004061C4h], edi |
mov word ptr [004061F0h], ss |
mov word ptr [004061E4h], cs |
mov word ptr [004061C0h], ds |
mov word ptr [004061BCh], es |
mov word ptr [004061B8h], fs |
mov word ptr [004061B4h], gs |
pushfd |
pop dword ptr [004061E8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [004061DCh], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [004061E0h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [004061ECh], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [00406128h], 00010001h |
mov eax, dword ptr [004061E0h] |
mov dword ptr [004060DCh], eax |
mov dword ptr [004060D0h], C0000409h |
mov dword ptr [004060D4h], 00000001h |
mov eax, dword ptr [00406018h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [0040601Ch] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [00000068h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x48dc | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7000 | 0x144c4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1c000 | 0x454 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4230 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4450 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4000 | 0x200 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x243c | 0x2600 | False | 0.655324835526 | COM executable for DOS | 6.36850956542 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x4000 | 0x1702 | 0x1800 | False | 0.40625 | data | 5.1131105028 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6000 | 0x648 | 0x200 | False | 0.232421875 | data | 2.09168969639 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x7000 | 0x144c4 | 0x14600 | False | 0.486459930982 | data | 6.30306243713 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1c000 | 0x70c | 0x800 | False | 0.49853515625 | data | 4.44276595657 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x7550 | 0x2e8 | data | English | United States |
RT_ICON | 0x7838 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x7960 | 0xea8 | data | English | United States |
RT_ICON | 0x8808 | 0x8a8 | data | English | United States |
RT_ICON | 0x90b0 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x9618 | 0x25a8 | dBase III DBT, version number 0, next free block index 40 | English | United States |
RT_ICON | 0xbbc0 | 0x10a8 | data | English | United States |
RT_ICON | 0xcc68 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xd0d0 | 0x2e8 | data | English | United States |
RT_ICON | 0xd3b8 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xd4e0 | 0xea8 | data | English | United States |
RT_ICON | 0xe388 | 0x8a8 | data | English | United States |
RT_ICON | 0xec30 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xf198 | 0x25a8 | dBase III DBT, version number 0, next free block index 40 | English | United States |
RT_ICON | 0x11740 | 0x10a8 | data | English | United States |
RT_ICON | 0x127e8 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_MENU | 0x12c50 | 0x4a | data | English | United States |
RT_DIALOG | 0x12c9c | 0x140 | data | English | United States |
RT_STRING | 0x12ddc | 0x4c | data | English | United States |
RT_ACCELERATOR | 0x12e28 | 0x10 | data | English | United States |
RT_RCDATA | 0x12e38 | 0x8344 | data | English | United States |
RT_GROUP_ICON | 0x1b17c | 0x76 | data | English | United States |
RT_GROUP_ICON | 0x1b1f4 | 0x76 | data | English | United States |
RT_MANIFEST | 0x1b26c | 0x256 | ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | Sleep, InterlockedCompareExchange, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LoadLibraryExA, GetTickCount64, InterlockedExchange |
USER32.dll | LoadIconW, LoadCursorW, RegisterClassExW, CreateWindowExW, ShowWindow, UpdateWindow, SetTimer, PostQuitMessage, DialogBoxParamW, DestroyWindow, DefWindowProcW, SetCapture, PtInRect, ReleaseCapture, BeginPaint, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, GetMessageW, LoadAcceleratorsW, LoadStringW, OffsetRect, DrawTextA, FillRect, InvalidateRect, ReleaseDC, GetDC, GetClientRect, EndPaint, EndDialog |
GDI32.dll | CreateSolidBrush, DeleteObject, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, GetStockObject, SaveDC, RestoreDC, SetBkMode, BitBlt, CreateRectRgnIndirect, CreatePolygonRgn, CombineRgn, SelectClipRgn, Ellipse, Rectangle, CreatePen |
MSVCP90.dll | ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?uncaught_exception@std@@YA_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?str@?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ, ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z |
MSIMG32.dll | AlphaBlend, GradientFill |
MSVCR90.dll | _amsg_exit, _CxxThrowException, __CxxFrameHandler3, _controlfp_s, _invoke_watson, _except_handler4_common, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, ?terminate@@YAXXZ, _crt_debugger_hook, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, ??1exception@std@@UAE@XZ, ??3@YAXPAX@Z, ??0exception@std@@QAE@XZ, ??0exception@std@@QAE@ABV01@@Z, ??2@YAPAXI@Z, _invalid_parameter_noinfo, srand, rand, _time64, _wcslwr, atoi, _unlock, __dllonexit, _encode_pointer, _lock, _onexit, _decode_pointer, memcpy, __wgetmainargs, _cexit, _exit, _XcptFilter, exit, _wcmdln |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/16/21-17:07:12.259592 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
07/16/21-17:07:15.256691 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
07/16/21-17:07:21.273124 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
07/16/21-17:07:42.618824 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 | ||
07/16/21-17:07:45.806111 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 | ||
07/16/21-17:07:51.997887 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 16, 2021 17:06:20.542170048 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
Jul 16, 2021 17:06:23.548013926 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
Jul 16, 2021 17:06:29.548536062 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
Jul 16, 2021 17:06:44.281224966 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
Jul 16, 2021 17:06:44.403786898 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
Jul 16, 2021 17:06:44.908982992 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
Jul 16, 2021 17:06:45.031189919 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
Jul 16, 2021 17:06:45.534087896 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
Jul 16, 2021 17:06:45.657490969 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
Jul 16, 2021 17:06:48.471726894 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
Jul 16, 2021 17:06:51.472075939 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
Jul 16, 2021 17:06:57.472614050 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
Jul 16, 2021 17:07:12.132922888 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
Jul 16, 2021 17:07:15.130383968 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
Jul 16, 2021 17:07:21.146560907 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
Jul 16, 2021 17:07:35.370628119 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
Jul 16, 2021 17:07:35.438725948 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
Jul 16, 2021 17:07:35.944820881 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
Jul 16, 2021 17:07:36.012451887 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
Jul 16, 2021 17:07:36.523617983 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
Jul 16, 2021 17:07:36.594460011 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
Jul 16, 2021 17:07:40.373577118 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
Jul 16, 2021 17:07:43.382858038 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
Jul 16, 2021 17:07:49.398936987 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
Jul 16, 2021 17:08:04.116400003 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
Jul 16, 2021 17:08:07.103610039 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
Jul 16, 2021 17:08:13.103981018 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 16, 2021 17:06:02.333093882 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:02.398982048 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:02.403018951 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:02.455171108 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:03.199887991 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:03.251107931 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:04.301538944 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:04.360388994 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:05.009922981 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:05.080878973 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:05.522526026 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:05.575153112 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:06.713778019 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:06.763395071 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:07.789093018 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:07.841680050 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:08.611358881 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:08.670780897 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:10.446573019 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:10.504580975 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:11.560636997 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:11.613158941 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:12.701705933 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:12.751097918 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:13.865761995 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:13.920089960 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:16.677190065 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:16.726804018 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:17.607249975 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:17.669481039 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:18.412681103 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:18.466411114 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:19.185880899 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:19.238326073 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:20.020277023 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:20.072833061 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:20.871370077 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:20.925894976 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:22.051337957 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:22.109612942 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:22.853486061 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:22.902765989 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:37.889744043 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:37.957566977 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:39.148256063 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:39.210594893 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:53.667342901 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:53.735356092 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:06:57.148108959 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:06:57.205549002 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:07:11.947230101 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:07:12.015654087 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:07:15.400922060 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:07:15.462726116 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:07:46.678647041 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:07:46.753209114 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jul 16, 2021 17:07:51.150878906 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 16, 2021 17:07:51.219223976 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Jul 16, 2021 17:07:12.259592056 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
Jul 16, 2021 17:07:15.256690979 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
Jul 16, 2021 17:07:21.273123980 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:06:08 |
Start date: | 16/07/2021 |
Path: | C:\Users\user\Desktop\mormanti.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc10000 |
File size: | 102912 bytes |
MD5 hash: | 6C94EDFEA6E5EE001B00122C9D01BD8A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 17:06:09 |
Start date: | 16/07/2021 |
Path: | C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc10000 |
File size: | 102912 bytes |
MD5 hash: | 6C94EDFEA6E5EE001B00122C9D01BD8A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 17:06:15 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:35 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:37 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:45 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:46 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:47 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:47 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:47 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:48 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:49 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\SgrmBroker.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff641450000 |
File size: | 163336 bytes |
MD5 hash: | D3170A3F3A9626597EEE1888686E3EA6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:06:49 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:07:50 |
Start date: | 16/07/2021 |
Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6922b0000 |
File size: | 455656 bytes |
MD5 hash: | A267555174BFA53844371226F482B86B |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:07:50 |
Start date: | 16/07/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 8% |
Dynamic/Decrypted Code Coverage: | 76.8% |
Signature Coverage: | 4% |
Total number of Nodes: | 1333 |
Total number of Limit Nodes: | 24 |
Graph
Executed Functions |
---|
Function 00C121FD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 164windowlibrarymemoryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2871, Relevance: 4.6, APIs: 3, Instructions: 144fileCOMMON
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC388F, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166serviceCOMMON
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC58E2, Relevance: 3.1, APIs: 2, Instructions: 132fileCOMMON
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1285B, Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC67D8, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC5A8F, Relevance: 1.6, APIs: 1, Instructions: 108fileCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC274C, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2FB6, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC4171, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB23AF, Relevance: 5.1, Strings: 4, Instructions: 106COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2A70, Relevance: 5.1, Strings: 4, Instructions: 106COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB253B, Relevance: 2.6, Strings: 2, Instructions: 118COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2BFC, Relevance: 2.6, Strings: 2, Instructions: 118COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB0467, Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB277C, Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2E3D, Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB304D, Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC370E, Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C113AF, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 231windowCOMMON
C-Code - Quality: 59% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11129, Relevance: 12.0, APIs: 8, Instructions: 43COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 67% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1186A, Relevance: 10.6, APIs: 7, Instructions: 100COMMON
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C123C4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32windowregistryCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11772, Relevance: 9.1, APIs: 6, Instructions: 99COMMON
C-Code - Quality: 80% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11271, Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C111BA, Relevance: 9.0, APIs: 6, Instructions: 27COMMON
C-Code - Quality: 95% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11EAD, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
C-Code - Quality: 32% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 45% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C12435, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C119A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
C-Code - Quality: 61% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11D28, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
C-Code - Quality: 25% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
---|
Execution Coverage: | 10.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 309 |
Total number of Limit Nodes: | 4 |
Graph
Callgraph |
---|
Executed Functions |
---|
Function 00C121FD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 164windowlibrarymemoryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1285B, Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C113AF, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 231windowCOMMON
Control-flow Graph |
---|
C-Code - Quality: 59% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11129, Relevance: 12.0, APIs: 8, Instructions: 43COMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 67% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1186A, Relevance: 10.6, APIs: 7, Instructions: 100COMMON
Control-flow Graph |
---|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C123C4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32windowregistryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11772, Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Control-flow Graph |
---|
C-Code - Quality: 80% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11271, Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C111BA, Relevance: 9.0, APIs: 6, Instructions: 27COMMON
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11EAD, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
Control-flow Graph |
---|
C-Code - Quality: 32% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 45% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C12435, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C119A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
C-Code - Quality: 61% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11D28, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
C-Code - Quality: 25% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |