Play interactive tour

Edit tour

Windows Analysis Report T3AtsGGHEL.exe

Overview

General Information

Sample Name:	T3AtsGGHEL.exe
Analysis ID:	534006
MD5:	89611c7a85fb5ccd4dd7edc076bc4ee8
SHA1:	a29812244684e248d7fe4f9e65e180bb4cd3098a
SHA256:	a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
Tags:	exeSmokeLoader
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

T3AtsGGHEL.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\T3AtsGGHEL.exe" MD5: 89611C7A85FB5CCD4DD7EDC076BC4EE8)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: T3AtsGGHEL.exe	Virustotal: Detection: 60%			Perma Link
Source: T3AtsGGHEL.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for domain / URL

Show sources

Source: wfsdragon.ru	Virustotal: Detection: 5%			Perma Link
Source: http://wfsdragon.ru/api/setStats.php	Virustotal: Detection: 6%			Perma Link

Machine Learning detection for sample

Show sources

Source: T3AtsGGHEL.exe

Joe Sandbox ML: detected

Source: T3AtsGGHEL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T3AtsGGHEL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00ECA061 FindFirstFileExW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49741 -> 212.193.30.45:80
Source: Traffic	Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49742 -> 172.67.133.215:80

Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	IP Address: 212.193.30.45 212.193.30.45
Source: Joe Sandbox View	IP Address: 172.67.133.215 172.67.133.215
Source: Joe Sandbox View	IP Address: 172.67.133.215 172.67.133.215

Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45

Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275124847.0000000001159000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/proxies.txt
Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/proxies.txtOP-
Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/(
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.php
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.php3t
Source: T3AtsGGHEL.exe, 00000001.00000002.275140606.0000000001185000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.phpAX

Source: unknown

DNS traffic detected: queries for: wfsdragon.ru

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC1820 InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetReadFile,__aulldiv,InternetReadFile,InternetReadFile,__aulldiv,InternetReadFile,CreateFileA,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /proxies.txt HTTP/1.1Connection: Keep-AliveUser-Agent: ????Host: 212.193.30.45
Source: global traffic	HTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: ????llHost: wfsdragon.ru

Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: T3AtsGGHEL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T3AtsGGHEL.exe	Binary or memory string: OriginalFilename vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000000.270223923.0000000000ED5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe

Source: T3AtsGGHEL.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC2040
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC1820
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC830
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB7630
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB8600
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB98FC
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB98F4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB592D
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC280
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC24F0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBEED0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00ED0E50
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB6E30
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00ECFF12

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: String function: 00EC3DA0 appears 33 times

Source: T3AtsGGHEL.exe	Virustotal: Detection: 60%
Source: T3AtsGGHEL.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\T3AtsGGHEL.exe "C:\Users\user\Desktop\T3AtsGGHEL.exe"
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01

Source: classification engine

Classification label: mal68.winEXE@2/0@1/2

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: T3AtsGGHEL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: T3AtsGGHEL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC3DE6 push ecx; ret

Source: T3AtsGGHEL.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC3002 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00ECA061 FindFirstFileExW,

Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW{
Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC6DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC8752 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC2040 __aulldiv,HeapFree,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC3D29 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC38A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC3BC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC39E4 cpuid

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC703C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Process Injection1	Process Injection1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
T3AtsGGHEL.exe	61%	Virustotal		Browse
T3AtsGGHEL.exe	48%	ReversingLabs	Win32.Backdoor.Zapchast
T3AtsGGHEL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wfsdragon.ru	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://212.193.30.45/proxies.txtOP-	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.php	7%	Virustotal		Browse
http://wfsdragon.ru/api/setStats.php	0%	Avira URL Cloud	safe
http://wfsdragon.ru/(	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.phpAX	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.php3t	0%	Avira URL Cloud	safe
http://212.193.30.45/proxies.txt	0%	Avira URL Cloud	safe
http://212.193.30.45/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wfsdragon.ru	172.67.133.215	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://wfsdragon.ru/api/setStats.php	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://212.193.30.45/proxies.txt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://212.193.30.45/proxies.txtOP-	T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/(	T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/api/setStats.phpAX	T3AtsGGHEL.exe, 00000001.00000002.275140606.0000000001185000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/api/setStats.php3t	T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://212.193.30.45/	T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.45	unknown	Russian Federation		57844	SPD-NETTR	true
172.67.133.215	wfsdragon.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	534006
Start date:	04.12.2021
Start time:	23:47:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	T3AtsGGHEL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.winEXE@2/0@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.35.236.56 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.
Errors:	Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.193.30.45	fXlJhe5OGb.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
	Whg8jgqeOs.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
	ikeokicy4x.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
172.67.133.215	33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	2B97860AFD98DFF5BED238E2A2CE25977B50BA5356333.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	D2864E311EFFCEF848301945DA620B92D1A982DBE2A70.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wfsdragon.ru	2A9E7BC07BD4EC39C2BEAA42FF35352BBE6400F899F70.exe	Get hash	malicious	Browse	104.21.5.208
	0A7D966E66CBD260C909DE1D79038C86A071F2F10A810.exe	Get hash	malicious	Browse	172.67.133.215
	B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe	Get hash	malicious	Browse	104.21.5.208
	3BADEBCEFB9E7153384CAE83BAAA119F6317C9381E850.exe	Get hash	malicious	Browse	172.67.133.215
	8F9CDF75C272FDA7DF367232756EA065600077804B165.exe	Get hash	malicious	Browse	172.67.133.215
	33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe	Get hash	malicious	Browse	172.67.133.215
	0A223AA68AF0C2AF0BAABDA61D82748629078720A017E.exe	Get hash	malicious	Browse	104.21.5.208
	71A117DE440384FDC4B8FB690FC73674E9E2A9A75E689.exe	Get hash	malicious	Browse	104.21.5.208
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	172.67.133.215
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	104.21.5.208
	4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe	Get hash	malicious	Browse	172.67.133.215
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	172.67.133.215
	BC2CCE5055F9411C04EDEEE699D7161C257574B4C5540.exe	Get hash	malicious	Browse	104.21.5.208
	F0627549D39AD1D85BCAAE5CF0B5A90B885658E348480.exe	Get hash	malicious	Browse	172.67.133.215
	D44D77232A9E6E684F1ECE4C9C05B3DCB63D4296CFD29.exe	Get hash	malicious	Browse	104.21.5.208
	2D100CC76F229AC10A7589E1AEA0BFB47B5692840D8F2.exe	Get hash	malicious	Browse	104.21.5.208
	4F1F6C55849D794E71B3F37EB1C700348E31A080EAA14.exe	Get hash	malicious	Browse	104.21.5.208
	AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe	Get hash	malicious	Browse	104.21.5.208
	BAF599ABAB1D6969E1BA455F83375CBC9643BBE504918.exe	Get hash	malicious	Browse	104.21.5.208
	pDHqdUDL46.exe	Get hash	malicious	Browse	104.21.5.208

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe	Get hash	malicious	Browse	162.159.133.233
	780426DE24AE46F300FDAF9CBF597C8F2164F7B6C525C.exe	Get hash	malicious	Browse	104.21.19.200
	W88QoyCyC7.exe	Get hash	malicious	Browse	162.159.130.233
	e8cvIYg1a3	Get hash	malicious	Browse	1.4.15.184
	24E7ED53A8DCE89A4D8F054712A5D77693049EC726F67.exe	Get hash	malicious	Browse	104.23.98.190
	SetUp(5).exe	Get hash	malicious	Browse	162.159.137.232
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	104.21.49.105
	I6l10z8wKV.exe	Get hash	malicious	Browse	162.159.134.233
	PurchaseOrder2xls.exe	Get hash	malicious	Browse	162.159.134.233
	qwEMaieh4k.exe	Get hash	malicious	Browse	162.159.135.233
	FKdsgnUjpn.exe	Get hash	malicious	Browse	162.159.133.233
	y8xn6l2hY0.exe	Get hash	malicious	Browse	162.159.134.233
	eufive_20211204-002445(1).exe	Get hash	malicious	Browse	162.159.130.233
	jA0D6OjNRa.exe	Get hash	malicious	Browse	104.21.96.57
	xajsmKqcFk.exe	Get hash	malicious	Browse	162.159.130.233
	4L2BCPJRuk.exe	Get hash	malicious	Browse	162.159.130.233
	XPCIJGAZa6.exe	Get hash	malicious	Browse	172.67.173.151
	MPEtLYdhdk.msi	Get hash	malicious	Browse	104.21.22.210
	cC6A9znVtH.exe	Get hash	malicious	Browse	172.67.173.151
	f2Y03RRaRe.exe	Get hash	malicious	Browse	162.159.134.233
SPD-NETTR	912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe	Get hash	malicious	Browse	212.193.30.29
	780426DE24AE46F300FDAF9CBF597C8F2164F7B6C525C.exe	Get hash	malicious	Browse	212.193.30.29
	W88QoyCyC7.exe	Get hash	malicious	Browse	195.133.47.114
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	212.193.30.29
	I6l10z8wKV.exe	Get hash	malicious	Browse	195.133.47.114
	qwEMaieh4k.exe	Get hash	malicious	Browse	195.133.47.114
	xajsmKqcFk.exe	Get hash	malicious	Browse	195.133.47.114
	4L2BCPJRuk.exe	Get hash	malicious	Browse	195.133.47.114
	cC6A9znVtH.exe	Get hash	malicious	Browse	212.193.30.45
	21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe	Get hash	malicious	Browse	212.193.30.29
	0D054D4B3068EA7F877963A9BE8A71581CB0396A309F6.exe	Get hash	malicious	Browse	212.193.30.29
	rfmEYZiTI4.exe	Get hash	malicious	Browse	212.193.30.29
	sk4e7kDlkb.exe	Get hash	malicious	Browse	212.193.30.45
	Nh3xqMPynb.exe	Get hash	malicious	Browse	212.193.30.196
	7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe	Get hash	malicious	Browse	212.193.30.29
	f7Kudio57m.exe	Get hash	malicious	Browse	212.193.30.196
	CYw9gmWr8C.exe	Get hash	malicious	Browse	212.193.30.196
	ajTlXKBm6k.exe	Get hash	malicious	Browse	212.193.30.196
	991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe	Get hash	malicious	Browse	212.193.30.29
	vjdcYcI4Y2.exe	Get hash	malicious	Browse	212.193.30.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.162371325795308
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T3AtsGGHEL.exe
File size:	436224
MD5:	89611c7a85fb5ccd4dd7edc076bc4ee8
SHA1:	a29812244684e248d7fe4f9e65e180bb4cd3098a
SHA256:	a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
SHA512:	5bb8da1fc7efe568d7279c39c0c8cee8e55f858e2b101db5d48a933d95e4e87040f944428dd930a12a8766e7da37c5e332a0b16211955ef867172822d878eed3
SSDEEP:	12288:1imaXG6cgudGbpR8W6szcwG67S+9Gf1NyKZ4:Mm7C8W3zLG6G+4f9Z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.cG........................................................*...............Y...................................Rich...........

File Icon


Icon Hash:	f89e67662636decc

Static PE Info

General
Entrypoint:	0x4137fa
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A8861D [Thu Dec 2 08:38:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	503fd9eea05c6f717892aae512299b17

Entrypoint Preview

Instruction
call 00007FD98CD00443h
jmp 00007FD98CCFFC69h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007FD98CCFFE1Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
div ecx
mov esi, eax
mov eax, ebx
mul dword ptr [esp+10h]
mov ecx, eax
mov eax, esi
mul dword ptr [esp+10h]
add edx, ecx
jmp 00007FD98CCFFE39h
mov ecx, eax
mov ebx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
mov eax, dword ptr [esp+08h]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007FD98CCFFDE6h
div ebx
mov esi, eax
mul dword ptr [esp+14h]
mov ecx, eax
mov eax, dword ptr [esp+10h]
mul esi
add edx, ecx
jc 00007FD98CCFFE00h
cmp edx, dword ptr [esp+0Ch]
jnbe 00007FD98CCFFDFAh
jc 00007FD98CCFFE01h
cmp eax, dword ptr [esp+08h]
jbe 00007FD98CCFFDFBh
dec esi
sub eax, dword ptr [esp+10h]
sbb edx, dword ptr [esp+14h]
xor ebx, ebx
sub eax, dword ptr [esp+08h]
sbb edx, dword ptr [esp+0Ch]
neg edx
neg eax
sbb edx, 00000000h
mov ecx, edx
mov edx, ebx
mov ebx, ecx
mov ecx, eax
mov eax, esi
pop esi
retn 0010h
ret
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00425068h]
push dword ptr [ebp+08h]
call dword ptr [00425064h]
push C0000409h
call dword ptr [0000006Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25140	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x45c18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0x1650	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x602c	0x1c	.code
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6048	0x40	.code
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x13c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x218a0	0x21a00	False	0.50054455158	data	6.46692412072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x23000	0x1590	0xa00	False	0.178125	DOS executable (block device driver @\273\)	2.44015014816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x25000	0x83a	0xa00	False	0.39140625	COM executable for DOS	4.75468144198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x45c18	0x45e00	False	0.816409743962	data	7.34383108574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x1650	0x1800	False	0.733072916667	data	6.40608727267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x26578	0x1dccb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x44248	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 570425344, next used block 352321536
RT_ICON	0x54a70	0x94a8	data
RT_ICON	0x5df18	0x5488	data
RT_ICON	0x633a0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x675c8	0x25a8	data
RT_ICON	0x69b70	0x10a8	data
RT_ICON	0x6ac18	0x988	data
RT_ICON	0x6b5a0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x6ba08	0x84	data
RT_VERSION	0x262b0	0x2c4	data
RT_MANIFEST	0x6ba90	0x188	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

ReadFile, lstrcatA, GetModuleHandleA, CreateFileA, lstrcpyA, CloseHandle, CreateThread, GetProcAddress, GetFileSize, GetConsoleWindow, GetLastError, lstrlenA, lstrcpynA, WriteConsoleW, CreateFileW, HeapSize, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RtlUnwind, RaiseException, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapReAlloc, SetFilePointerEx, GetFileType, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, GetConsoleMode, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

ShowWindow

Version Infos

Description	Data
LegalCopyright	Tokenizer
InternalName	UpdateToken.exe
FileVersion	7272.5.13.1
CompanyName	FreshTokenizer
ProductName	Token Updater
ProductVersion	2.1.4.1
FileDescription	Token Updater
OriginalFilename	SetToken.exe
Translation	0x041f 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/04/21-23:48:26.150465	TCP	2010595	ET MALWARE User-Agent (???)	49741	80	192.168.2.3	212.193.30.45
12/04/21-23:48:26.277728	TCP	2010595	ET MALWARE User-Agent (???)	49742	80	192.168.2.3	172.67.133.215

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:48:26.122400045 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.149882078 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.149980068 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.150465012 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.177802086 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.177956104 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.177988052 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.178047895 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.178165913 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.249811888 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.277226925 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.277327061 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.277728081 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.305057049 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396331072 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396368980 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396445990 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.483290911 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.510665894 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.759848118 CET	49742	80	192.168.2.3	172.67.133.215

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:48:26.221666098 CET	57459	53	192.168.2.3	8.8.8.8
Dec 4, 2021 23:48:26.244530916 CET	53	57459	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 4, 2021 23:48:26.221666098 CET	192.168.2.3	8.8.8.8	0xa3a3	Standard query (0)	wfsdragon.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 4, 2021 23:48:26.244530916 CET	8.8.8.8	192.168.2.3	0xa3a3	No error (0)	wfsdragon.ru		172.67.133.215	A (IP address)	IN (0x0001)
Dec 4, 2021 23:48:26.244530916 CET	8.8.8.8	192.168.2.3	0xa3a3	No error (0)	wfsdragon.ru		104.21.5.208	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

212.193.30.45

wfsdragon.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	212.193.30.45	80	C:\Users\user\Desktop\T3AtsGGHEL.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:48:26.150465012 CET	1094	OUT	GET /proxies.txt HTTP/1.1 Connection: Keep-Alive User-Agent: ???? Host: 212.193.30.45
Dec 4, 2021 23:48:26.177956104 CET	1095	IN	HTTP/1.1 400 Bad Request Date: Sat, 04 Dec 2021 22:48:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 32 37 2e 30 2e 30 2e 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br /></p><hr><address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	172.67.133.215	80	C:\Users\user\Desktop\T3AtsGGHEL.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:48:26.277728081 CET	1096	OUT	GET /api/setStats.php HTTP/1.1 Connection: Keep-Alive User-Agent: ????ll Host: wfsdragon.ru
Dec 4, 2021 23:48:26.396331072 CET	1096	IN	HTTP/1.1 200 OK Date: Sat, 04 Dec 2021 22:48:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kvZt4oAmzp5KHLuJ9wjcV9P2UE0ZZknV7%2Fe0lsgFYZ1XJlNEm%2FNyqZqm6chv8PtPe0FqKT4HybdXJfglt%2BjNFn6Cp5NxYIhbZutSL17VvgRXAanLFqoNvcwsJLIK3hY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b88950c5d7a0676-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 66 0d 0a 25 22 3e 39 57 5f 43 58 5b 43 58 54 43 59 5f 0d 0a Data Ascii: f%">9W_CX[CXTCY_

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: T3AtsGGHEL.exe PID: 6980 Parent PID: 4484

General

Start time:	23:48:23
Start date:	04/12/2021
Path:	C:\Users\user\Desktop\T3AtsGGHEL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\T3AtsGGHEL.exe"
Imagebase:	0xeb0000
File size:	436224 bytes
MD5 hash:	89611C7A85FB5CCD4DD7EDC076BC4EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 7044 Parent PID: 6980

General

Start time:	23:48:24
Start date:	04/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report T3AtsGGHEL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior