Source: google.vrthcobj.com |
Virustotal: Detection: 7% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Virustotal: Detection: 13% |
Perma Link |
Source: LRios3pM39.exe |
Virustotal: Detection: 21% |
Perma Link |
Source: LRios3pM39.exe |
ReversingLabs: Detection: 57% |
Source: LRios3pM39.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: unknown |
HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2 |
Source: |
Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr |
Source: Traffic |
Snort IDS: 1948 DNS zone transfer UDP 192.168.2.4:61523 -> 34.97.69.225:53 |
Source: Joe Sandbox View |
IP Address: 172.67.146.70 172.67.146.70 |
Source: Joe Sandbox View |
JA3 fingerprint: ce5f3254611a8c095a3d821d44539877 |
Source: unknown |
DNS traffic detected: queries for: a.goatgame.co |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_004048ED |
0_2_004048ED |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD |
Source: LRios3pM39.exe, 00000000.00000002.648380780.00000000021F0000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000002.662144820.00000000020B0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamenlsbres.dllj% vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000000.647874488.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000002.662171088.00000000021F0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000002.662159981.00000000020D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameQt5Gui.dll( vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000002.662179091.0000000002200000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs LRios3pM39.exe |
Source: LRios3pM39.exe, 00000002.00000002.662149645.00000000020C0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs LRios3pM39.exe |
Source: LRios3pM39.exe |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe |
Source: LRios3pM39.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.winEXE@5/2@3/1 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString, |
0_2_00401050 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File created: C:\Users\user\AppData\Local\Temp\sqlite.dat |
Jump to behavior |
Source: LRios3pM39.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: LRios3pM39.exe |
Virustotal: Detection: 21% |
Source: LRios3pM39.exe |
ReversingLabs: Detection: 57% |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File read: C:\Users\user\Desktop\LRios3pM39.exe:Zone.Identifier |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' |
|
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a |
|
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: |
Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, |
0_2_004018A0 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_00406590 push eax; ret |
0_2_004065BE |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
File created: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\LRios3pM39.exe TID: 7144 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, |
0_2_004018A0 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_004053C2 SetUnhandledExceptionFilter, |
0_2_004053C2 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_004053B0 SetUnhandledExceptionFilter, |
0_2_004053B0 |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a |
Jump to behavior |
Source: C:\Users\user\Desktop\LRios3pM39.exe |
Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA, |
0_2_0040267E |