Edit tour

Windows Analysis Report
AutoInstall.exe

Overview

General Information

Sample Name:	AutoInstall.exe
Analysis ID:	593200
MD5:	7700a0d1b07e63f054a730fbf9156ef0
SHA1:	6995f2e5f4544b3e99489364bccc56084198c61d
SHA256:	99b4df04fc5236a12bcf96a4c6ec797b2555189915050d7a0a1704f4f69ab770
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Writes to foreign memory regions

Allocates memory in foreign processes

May check the online IP address of the machine

PE file contains section with special chars

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

HTTP GET or POST without a user agent

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

AutoInstall.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\AutoInstall.exe" MD5: 7700A0D1B07E63F054A730FBF9156EF0)

conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 64 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

cleanup

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, QueryName: ip-api.com

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AutoInstall.exe

Virustotal: Detection: 36%

Perma Link

Source: AutoInstall.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:

Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp, AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: AutoInstall.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: AutoInstall.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AutoInstall.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: AutoInstall.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: AutoInstall.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: AutoInstall.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AutoInstall.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AutoInstall.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AutoInstall.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.641051378.0000000007127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: AutoInstall.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: AutoInstall.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: AutoInstall.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: AutoInstall.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: AutoInstall.exe, 00000001.00000002.379164276.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: AutoInstall.exe

Static PE information: section name: .pyX$d

Source: AutoInstall.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1478	3_2_055D1478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1DA0	3_2_055D1DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DBF80	3_2_055DBF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DDEE0	3_2_055DDEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DC850	3_2_055DC850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0860	3_2_055D0860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B40	3_2_055D0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D156F	3_2_055D156F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D20D8	3_2_055D20D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DBC38	3_2_055DBC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1E51	3_2_055D1E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B7A	3_2_055D0B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B30	3_2_055D0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_09D76E50	3_2_09D76E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_09D76E40	3_2_09D76E40

Source: AutoInstall.exe

Static PE information: invalid certificate

Source: AutoInstall.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\AutoInstall.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AutoInstall.exe "C:\Users\user\Desktop\AutoInstall.exe"
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\8d96007aa6619f065c7ec2509ce5f96d

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@4/0@1/1

Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: AutoInstall.exe

Static file information: File size 4344320 > 1048576

Source: AutoInstall.exe

Static PE information: Raw size of .iXgHkK is bigger than: 0x100000 < 0x3eae00

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 3_2_055D63F2 push D800035Eh; ret

3_2_055D6421

Source: AutoInstall.exe	Static PE information: section name: .iXgHkK
Source: AutoInstall.exe	Static PE information: section name: .pyX$d

Source: initial sample

Static PE information: section name: .pyX$d entropy: 7.40228735958

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AutoInstall.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\AutoInstall.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: F65008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\AutoInstall.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\AutoInstall.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\AutoInstall.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\AutoInstall.exe

Code function: 1_2_00409C7C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00409C7C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	111 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AutoInstall.exe	37%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.AutoInstall.exe.24b0000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File
3.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://ip-api.com4	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aia.entrust.net/ts1-chain256.cer01	AutoInstall.exe	false		high
http://www.codeplex.com/DotNetZip	AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	AutoInstall.exe	false		high
http://ocsp.entrust.net03	AutoInstall.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa0	AutoInstall.exe	false		high
http://ocsp.entrust.net02	AutoInstall.exe	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	AutoInstall.exe	false		high
http://crl.entrust.net/2048ca.crl0	AutoInstall.exe	false		high
http://ip-api.com	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.641051378.0000000007127000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com4	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	593200
Start date and time:	2022-03-21 12:17:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AutoInstall.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 72% Number of executed functions: 22 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target AutoInstall.exe, PID 6564 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.95.112.1	Votrerelev#U00e9fiscal.vbs	Get hash	malicious	Browse	ip-api.com/json/
	RE32GGHQRv.exe	Get hash	malicious	Browse	ip-api.com/json/
	Dep_08643.msi	Get hash	malicious	Browse	ip-api.com/json/
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json
	OyLImUdEwH.exe	Get hash	malicious	Browse	ip-api.com/json/
	PUPrfS3p8A.exe	Get hash	malicious	Browse	ip-api.com/json/
	X6vZL6Tj7s.exe	Get hash	malicious	Browse	ip-api.com/json/
	dDbTUabIt8.exe	Get hash	malicious	Browse	ip-api.com/json/
	HKoLuz7ekJ.exe	Get hash	malicious	Browse	ip-api.com/json/
	yLuLadKu7U.exe	Get hash	malicious	Browse	ip-api.com/json/
	XmNlGswk9G.exe	Get hash	malicious	Browse	ip-api.com/json/
	IRjzcACEyl.exe	Get hash	malicious	Browse	ip-api.com/json/
	postbank.apk	Get hash	malicious	Browse	www.ip-api.com/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ip-api.com	Votrerelev#U00e9fiscal.vbs	Get hash	malicious	Browse	208.95.112.1
	RE32GGHQRv.exe	Get hash	malicious	Browse	208.95.112.1
	Dep_08643.msi	Get hash	malicious	Browse	208.95.112.1
	OyLImUdEwH.exe	Get hash	malicious	Browse	208.95.112.1
	PUPrfS3p8A.exe	Get hash	malicious	Browse	208.95.112.1
	X6vZL6Tj7s.exe	Get hash	malicious	Browse	208.95.112.1
	dDbTUabIt8.exe	Get hash	malicious	Browse	208.95.112.1
	HKoLuz7ekJ.exe	Get hash	malicious	Browse	208.95.112.1
	yLuLadKu7U.exe	Get hash	malicious	Browse	208.95.112.1
	XmNlGswk9G.exe	Get hash	malicious	Browse	208.95.112.1
	IRjzcACEyl.exe	Get hash	malicious	Browse	208.95.112.1
	nNDkOcUjO5.exe	Get hash	malicious	Browse	208.95.112.1
	zggoXCqQwb.exe	Get hash	malicious	Browse	208.95.112.1
	zggoXCqQwb.exe	Get hash	malicious	Browse	208.95.112.1
	buNv7CAzE2.exe	Get hash	malicious	Browse	208.95.112.1
	d764.exe	Get hash	malicious	Browse	208.95.112.1
	ZYtIZq9FwF.exe	Get hash	malicious	Browse	208.95.112.1
	ZYtIZq9FwF.exe	Get hash	malicious	Browse	208.95.112.1
	TuKQGeAi2w.exe	Get hash	malicious	Browse	208.95.112.1
	4618FB57958C19496E668916D769CB40E6BB0A0AF0FBB.exe	Get hash	malicious	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TUT-ASUS	Votrerelev#U00e9fiscal.vbs	Get hash	malicious	Browse	208.95.112.1
	RE32GGHQRv.exe	Get hash	malicious	Browse	208.95.112.1
	Dep_08643.msi	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	postbank.apk	Get hash	malicious	Browse	208.95.112.1
	OyLImUdEwH.exe	Get hash	malicious	Browse	208.95.112.1
	PUPrfS3p8A.exe	Get hash	malicious	Browse	208.95.112.1
	X6vZL6Tj7s.exe	Get hash	malicious	Browse	208.95.112.1
	dDbTUabIt8.exe	Get hash	malicious	Browse	208.95.112.1
	HKoLuz7ekJ.exe	Get hash	malicious	Browse	208.95.112.1
	yLuLadKu7U.exe	Get hash	malicious	Browse	208.95.112.1
	XmNlGswk9G.exe	Get hash	malicious	Browse	208.95.112.1
	IRjzcACEyl.exe	Get hash	malicious	Browse	208.95.112.1
	nNDkOcUjO5.exe	Get hash	malicious	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.8762873630378625
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AutoInstall.exe
File size:	4344320
MD5:	7700a0d1b07e63f054a730fbf9156ef0
SHA1:	6995f2e5f4544b3e99489364bccc56084198c61d
SHA256:	99b4df04fc5236a12bcf96a4c6ec797b2555189915050d7a0a1704f4f69ab770
SHA512:	9d063f2e37a35e20a322a4ab2be24884a245a40c4924b618a83f69515a62b15a954393717961f79c77945f2b692ea5d26d829153a8ece04c4ff774a48dc8607e
SSDEEP:	98304:IDWrdQJJ6qOobDtlLCSvKBXRAtiX2CVQmYRx6uiNnA9gEEtwPpAK3q2M:D6KPktlvIAtSNn6gFtYrzM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b8b..................@..<......;.........A...@..........................0B............................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40953b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6238628B [Mon Mar 21 11:33:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	99c2cae0b7316add27de679470515124

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	4/13/2021 5:00:00 PM 4/16/2024 4:59:59 PM
Subject Chain	CN=Nvidia Corporation, OU=IT-MIS, O=Nvidia Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	991A62097E637843EA62029BF4E829BC
Thumbprint SHA-1:	F518FAD5DEC9E0500DA1C1598C4B0FFC0268B2D0
Thumbprint SHA-256:	A4870BB5FEB7028CCB0E50936E9138F528FF3CCD001D44C7D268A69685455FE8
Serial:	0266ADFA176389D9B4301AC87EFD6A96

Entrypoint Preview

Instruction
call 00007F5E64D0882Eh
jmp 00007F5E64D07F19h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F5E64D080BBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F5E64D080ACh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F5E64D080AEh
add edx, 28h
cmp edx, esi
jne 00007F5E64D0808Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F5E64D0809Bh
push esi
call 00007F5E64D08B0Bh
test eax, eax
je 00007F5E64D080C2h
mov eax, dword ptr fs:[00000018h]
mov esi, 008211E4h
mov edx, dword ptr [eax+04h]
jmp 00007F5E64D080A6h
cmp edx, eax
je 00007F5E64D080B2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F5E64D08092h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F5E64D080A9h
mov byte ptr [008211E8h], 00000001h
call 00007F5E64D08580h
call 00007F5E64D0A8FEh
test al, al
jne 00007F5E64D080A6h
xor al, al
pop ebp
ret
call 00007F5E64D1386Eh
test al, al
jne 00007F5E64D080ACh
push 00000000h
call 00007F5E64D0A905h
pop ecx
jmp 00007F5E64D0808Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [008211E9h], 00000000h
je 00007F5E64D080A6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41f12c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x422800	0x2200
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41ced8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x410000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23fe5	0x24000	False	0.55852593316	data	6.58598139573	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.iXgHkK	0x25000	0x3eac39	0x3eae00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x410000	0xf8d8	0xfa00	False	0.546984375	data	5.65055331195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x420000	0x1ce8	0x1000	False	0.18994140625	data	3.03654885505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pyX$d	0x422000	0x910	0xa00	False	0.881640625	data	7.40228735958	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

USER32.dll

GetSysColorBrush, MessageBeep, MessageBoxA, GetSystemMetrics, SendNotifyMessageA

KERNEL32.dll

TlsSetValue, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, GetLastError, GetCurrentProcessId, GetCurrentThreadId, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, FreeConsole, GetConsoleWindow, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, FreeEnvironmentStringsW, RaiseException, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, WriteConsoleW, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2022 13:19:19.080195904 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.109673977 CET	80	49775	208.95.112.1	192.168.2.6
Mar 21, 2022 13:19:19.109812975 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.119479895 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.149487019 CET	80	49775	208.95.112.1	192.168.2.6
Mar 21, 2022 13:19:19.292432070 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:58.370439053 CET	80	49775	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2022 13:19:18.970336914 CET	52858	53	192.168.2.6	8.8.8.8
Mar 21, 2022 13:19:18.989157915 CET	53	52858	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 21, 2022 13:19:18.970336914 CET	192.168.2.6	8.8.8.8	0x45cd	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 21, 2022 13:19:18.989157915 CET	8.8.8.8	192.168.2.6	0x45cd	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49775	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2022 13:19:19.119479895 CET	1097	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 21, 2022 13:19:19.149487019 CET	1097	IN	HTTP/1.1 200 OK Date: Mon, 21 Mar 2022 12:19:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	1
Start time:	13:18:59
Start date:	21/03/2022
Path:	C:\Users\user\Desktop\AutoInstall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AutoInstall.exe"
Imagebase:	0x400000
File size:	4344320 bytes
MD5 hash:	7700A0D1B07E63F054A730FBF9156EF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	13:19:00
Start date:	21/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	13:19:02
Start date:	21/03/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x1050000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	3

Executed Functions

Function 055D1478 Relevance: 1.6, Strings: 1, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,Lyl, xrefs: 055D19DB

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID: ,Lyl
API String ID: 0-148460786
Opcode ID: a954b1494ab577acae299ce882b2ff7946abc212f0395969c46d1e28016bf2fa
Instruction ID: 3a9e40badcd3e4098c4225e6ba43d897b195b890e5d455034234a13ebaece6b5
Opcode Fuzzy Hash: a954b1494ab577acae299ce882b2ff7946abc212f0395969c46d1e28016bf2fa
Instruction Fuzzy Hash: 45F17F31E045298FDB24CB68C890AACFBF2FF85305F19C1A9D059AB256D734AD85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 055DDEE0 Relevance: 1.6, Strings: 1, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<yl, xrefs: 055DE12D

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID: <yl
API String ID: 0-385778458
Opcode ID: b6ff50495b411cd00fd379017ed3bcca0990993f96b13e5e1d7462efbefc56c6
Instruction ID: 8b71ef8e59c0d78c58d50bca36b86e4a795e285b91c65609acd235293ba6c4fc
Opcode Fuzzy Hash: b6ff50495b411cd00fd379017ed3bcca0990993f96b13e5e1d7462efbefc56c6
Instruction Fuzzy Hash: D2D15E71E002098FCB14DFA8C885AAEFBF6FF88314F15855AD515AB351DB34A946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 055D1DA0 Relevance: 1.5, Strings: 1, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`xl, xrefs: 055D1E2D

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID: `xl
API String ID: 0-952570869
Opcode ID: 3abc697cd6708ee37344f523b72f826fa15f45a1151314a02a3d4481910693fb
Instruction ID: 30df36133b79a88817b7ea1e311ca83fa3e1755fcb08d4456baf30b2d384df5e
Opcode Fuzzy Hash: 3abc697cd6708ee37344f523b72f826fa15f45a1151314a02a3d4481910693fb
Instruction Fuzzy Hash: 15817C36F105249FD714DB69CC84AAEB7E3BFC8614F1A8564E40ADB765DB30AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 055D0B40 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb34b43a434cfe48ea7ff7c952bd20c6b0ab70c0e1ef3870a4a0bab3b458964
Instruction ID: c20ec78b1e5fee22afcc8b04839b914ea0c83bb1df0c534b46fedc0b989cf0a3
Opcode Fuzzy Hash: 8eb34b43a434cfe48ea7ff7c952bd20c6b0ab70c0e1ef3870a4a0bab3b458964
Instruction Fuzzy Hash: 1332AE35A006298FDB24CF69D885AADB7F2FF88304F15C569E009EB355DB34A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 055D0B30 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50d8a78d24e2c261eaf7ecc77baebeb7ce9388fd2fdfbee502f3c2aae5b8cc4
Instruction ID: 33781cbeae689e0063848c76fe3cdc1670c57d4ca3ec6dde04cd15bf70e59e23
Opcode Fuzzy Hash: b50d8a78d24e2c261eaf7ecc77baebeb7ce9388fd2fdfbee502f3c2aae5b8cc4
Instruction Fuzzy Hash: BEE1BF35E106298FCB14CF79D8856ADBBF2BFC8314F01C569E409EB355DB34A9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 055D0B7A Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e6738118bfe67573e4738716839b5929d0d4d81a5b92de223c169c4f7ea9ef
Instruction ID: 7c7f12c20790e476aa0a7c2b82b0fe3ed17e7e22b71711155447966b9ceae788
Opcode Fuzzy Hash: 22e6738118bfe67573e4738716839b5929d0d4d81a5b92de223c169c4f7ea9ef
Instruction Fuzzy Hash: 46E1BD35E006298FCB24CF79D8856ADB7F2BFC8314F018569E40AEB355DB34A9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 055DBF80 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753a07b5ea28d2064d982d95a3df0c9f1521aa5e97fdd84575506e73ae3a88fa
Instruction ID: 4387c02381ff41d6aa96911ec682e7bc0c2227586f274f09b55fc3c099ef69ce
Opcode Fuzzy Hash: 753a07b5ea28d2064d982d95a3df0c9f1521aa5e97fdd84575506e73ae3a88fa
Instruction Fuzzy Hash: 7EB13B71E042198FDB24CFE9C8857EDFBF2BF88304F148529E815A7294DB749846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 055DC850 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71357f3bf77638972046832af278931454e39affc909bde27a42792f3e3835e4
Instruction ID: 000b678f49ca2a79bee4a62ec31dec0aa5f894aed8773c375a97d8f65b845ea0
Opcode Fuzzy Hash: 71357f3bf77638972046832af278931454e39affc909bde27a42792f3e3835e4
Instruction Fuzzy Hash: F7B15B72E042098FDB20CFA9C9857EDFBF2BF88714F148529D819A7294DB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 055D156F Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf60e0799a4a80c39506aee61b76668e57e1ebada6bdd4b761634f74b3cdcac
Instruction ID: 78906cac6774ac045ce10c60e4c11e281f4d0c438985a076c80f36ba0eced8ec
Opcode Fuzzy Hash: 3bf60e0799a4a80c39506aee61b76668e57e1ebada6bdd4b761634f74b3cdcac
Instruction Fuzzy Hash: 5B918031E046298FDB24CF68C890AADF7B2FF85304F29C5A9D059AB255D734AD82CF54

Uniqueness

Uniqueness Score: -1.00%

Function 055D0860 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5959c09f9d24bf83ccdd882d87a77e822cf495cbd1671971472b6deb55c827ab
Instruction ID: 13e94b4dfcfd48e6362bf81951012f98009b985227a3a7a82d9509bd10cc5afe
Opcode Fuzzy Hash: 5959c09f9d24bf83ccdd882d87a77e822cf495cbd1671971472b6deb55c827ab
Instruction Fuzzy Hash: 8E81F979E4010E9FDF14CFAAE5859ADBBF1BF48314F10A559D412EB2A0DB31A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09D7592C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09D75F46,?,?,?,?,?), ref: 09D76007

Strings

HW, xrefs: 09D7592C

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID: HW
API String ID: 3793708945-4244388116
Opcode ID: 1f4dcf3e7b8e071c5b5e44f39faa515f356f82b00f6a985e52b8ea21084f7ba4
Instruction ID: 715274c9a066f6796cff53ce4cd76705fa726ae3ded42cb73696cfe43a093ae0
Opcode Fuzzy Hash: 1f4dcf3e7b8e071c5b5e44f39faa515f356f82b00f6a985e52b8ea21084f7ba4
Instruction Fuzzy Hash: E02103B59003489FDB10CF9AD984AEEFBF8EB48324F54841AE954A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D767B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 09D76E05

Strings

dW, xrefs: 09D767B0

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: Initialize
String ID: dW
API String ID: 2538663250-2358443097
Opcode ID: e4a09660df741046dbdb345d36c71796f601c4053f20331736fc64df227dbbab
Instruction ID: a40ad59cfef144db7751c0afcbc014fc2061e64f9e78e9e2b1b63527e6254c80
Opcode Fuzzy Hash: e4a09660df741046dbdb345d36c71796f601c4053f20331736fc64df227dbbab
Instruction Fuzzy Hash: 271103B19007488FCB10DF99D588BDEFBF8EB48324F14845AE959A7610E374A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 055D9884 Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 055D9977

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba949c4ec00c26614d0ddfcdc9e6901bb36e2d9361aaec1f77b2317ee2eb1e91
Instruction ID: 4d9719da12e5f061dcda2b6cb0e814345c1c38656b1b7d5728f7fbdaa6e064bc
Opcode Fuzzy Hash: ba949c4ec00c26614d0ddfcdc9e6901bb36e2d9361aaec1f77b2317ee2eb1e91
Instruction Fuzzy Hash: 484105B2D002589FDB24CFA9C8857DEFBF1BB48714F14852AD815A7344D7749846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055D794C Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 055D9977

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38109c0fb691d6bad4e7562fc83246a3269daa667057b79cc3cd9d17850123b9
Instruction ID: a3a1665e20148f3955bb5da4ab170cb94a039de1d3797ae9ce8d96526d5c0880
Opcode Fuzzy Hash: 38109c0fb691d6bad4e7562fc83246a3269daa667057b79cc3cd9d17850123b9
Instruction Fuzzy Hash: DA4138B1D002589FDB24CFA9C88579EFBF1FB48714F14852AE815A7344D7749846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D77C59 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09D77C40,080A6D30,07134FA0), ref: 09D77CD1

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 191ac51fff541250eca6af1a14c9e84b6a59320c0320f5972ebd2b94c7eb194f
Instruction ID: ea51ba6bb79ebe31a3409d0610ebbd0c148e8d2195d86a33cdf7208fc2b21425
Opcode Fuzzy Hash: 191ac51fff541250eca6af1a14c9e84b6a59320c0320f5972ebd2b94c7eb194f
Instruction Fuzzy Hash: AB213871D002598FDB10CFA9C884BEEFBF5BB88324F14842AD855A3750D774A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 09D75F78 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09D75F46,?,?,?,?,?), ref: 09D76007

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e2489659bdffee23228a83849288d2a0fbc433c9c470e9c361b104cbb07b27b
Instruction ID: 8308dadd33046e795a0485f796ebb44783be5809bffb068370d196ed029e99d6
Opcode Fuzzy Hash: 7e2489659bdffee23228a83849288d2a0fbc433c9c470e9c361b104cbb07b27b
Instruction Fuzzy Hash: 0821E2B5900248EFDB10CFA9D984AEEFFF4EB48324F14841AE954A3751D374A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09D7681C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09D77C40,080A6D30,07134FA0), ref: 09D77CD1

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 7b31dc812caceb83e51efebe8260721d4a09bc65c6f136c7ce6bac575435ca5d
Instruction ID: cf9a1fecbce7fbd097ae76c0d5288b9bc2fa35e30b47c0ebd8599ea82085e66a
Opcode Fuzzy Hash: 7b31dc812caceb83e51efebe8260721d4a09bc65c6f136c7ce6bac575435ca5d
Instruction Fuzzy Hash: F62104719002198FDB10CF9AC884BEEFBF9FB88224F14842AE854A3750D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09D77FE9 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,09D7517D,?,?,?), ref: 09D7806D

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 401d5f3c7d1a523ae9e6b91b835d366ac9993468dcca601a9ce719f190b8ba32
Instruction ID: c74394aed4d69dc2d9b081880daf7f49d9064f26139eedbd0483bf6d1a189eeb
Opcode Fuzzy Hash: 401d5f3c7d1a523ae9e6b91b835d366ac9993468dcca601a9ce719f190b8ba32
Instruction Fuzzy Hash: CB2132B59003499FCB20CF99D988ADEFBB4FB88314F14852EE859A7600D375A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 09D74E88 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,09D7517D,?,?,?), ref: 09D7806D

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 9408a9d29eb8415cab4b748fa8fac60598b00e1afbc913786cf4c0bea4192ade
Instruction ID: 64bdb565ca1d88714140e97e37b19220bc27f6327785263eec97e465f52a631a
Opcode Fuzzy Hash: 9408a9d29eb8415cab4b748fa8fac60598b00e1afbc913786cf4c0bea4192ade
Instruction Fuzzy Hash: 3C2113B59003599FCB10CF9AD988BDEFBB4FB88314F14852EE819A7600D375A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D76DA9 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 09D76E05

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 443d32cea809e2fc5705d079a2d611b5b97d6044d619773359ee7f6cd555ffb0
Instruction ID: 592432651271262e2064aff0cc3e7d49367ea8341ae6fe1c4e33d0244a30c598
Opcode Fuzzy Hash: 443d32cea809e2fc5705d079a2d611b5b97d6044d619773359ee7f6cd555ffb0
Instruction Fuzzy Hash: 211136B48003888FDB10CFA9C588BDEFFF4EB48324F148459D455A3610D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054CD5CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640785674.00000000054CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 054CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_54cd000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad47ce8318038dbc9c4d0af7e91763e312e3b955efb40fb07ff2c901ee03e5f
Instruction ID: 4e5ca78e9ed2af25744a1bde3fe025e24974045fd39b98c7074a5375f7f6d2aa
Opcode Fuzzy Hash: 0ad47ce8318038dbc9c4d0af7e91763e312e3b955efb40fb07ff2c901ee03e5f
Instruction Fuzzy Hash: 022124B9A04284DFDB44DF10D9C4B67BF62FBD8224F2485FED9090B206C336D856C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 054CD5C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640785674.00000000054CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 054CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_54cd000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7f4f13aee4dd2d28d0ff9ce2ed98ebdb6cfc1b470272758c5b2a475dd69952
Instruction ID: 3790fb0ced0369ce34d4fc9319b34997031810cb80809f100b494cc38a646505
Opcode Fuzzy Hash: 5c7f4f13aee4dd2d28d0ff9ce2ed98ebdb6cfc1b470272758c5b2a475dd69952
Instruction Fuzzy Hash: C5119D76904284CFDB01CF10D9C4B66BF72FB84224F2486EAD8490B656C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 055D20D8 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

, xrefs: 055D21EE

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7158fdd8bcb193c60c308e305a21c82cfed1b2c332cbba1caf6ecf3df515c224
Instruction ID: b9f1f1435e67039b2545e3e69a317db4466ac83a780f19df4e51772f7e396d97
Opcode Fuzzy Hash: 7158fdd8bcb193c60c308e305a21c82cfed1b2c332cbba1caf6ecf3df515c224
Instruction Fuzzy Hash: C851C076B001198FCB24CBADD8845AEF7B2FFC8221B15817AE619D7754DB31EC418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 09D76E50 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cf10b707ca1e31267e8857f1bdeec32460784a9ad36f34bc6f2d3e255be1e6
Instruction ID: a7c78431e7a922e53a1335a9c527cd27858a90759a145323b6d25ea801d37e1b
Opcode Fuzzy Hash: 82cf10b707ca1e31267e8857f1bdeec32460784a9ad36f34bc6f2d3e255be1e6
Instruction Fuzzy Hash: C012D7F18117868BE310CF26F888599BB61F745329B904228EA651BAD1F7B4124FEF46

Uniqueness

Uniqueness Score: -1.00%

Function 055DBC38 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e9bd9e876f6ac39b50d9f6c643a354d5588a98933c0a02c776372ca5ee6a8
Instruction ID: 35fa33e09dd3a6beceb6cb2fe7f280df9acea3dbdd9bb8143481877bc2ccca1f
Opcode Fuzzy Hash: e12e9bd9e876f6ac39b50d9f6c643a354d5588a98933c0a02c776372ca5ee6a8
Instruction Fuzzy Hash: 92914971E042099FDB20DFA9C9847EEFBF2BF88324F158129E405A7294DB749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D76E40 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.641203722.0000000009D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d70000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bffdd29f23d645cd1b71126efc5c86ed13a026fc19d226bc004fed0a9ebf2c
Instruction ID: 7c9514a2935e55269b72d92b5dc1cb72a96289fc27dffe175047b5aa89e1a609
Opcode Fuzzy Hash: d5bffdd29f23d645cd1b71126efc5c86ed13a026fc19d226bc004fed0a9ebf2c
Instruction Fuzzy Hash: 60C13DB18117868BE710CF66F888199BB71FB85329F504228F9652B6D0F7B4124FEF46

Uniqueness

Uniqueness Score: -1.00%

Function 055D1E51 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.640922867.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_55d0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b1b14ee16a393fc95b7a2159e18b55443e42ebe18f7529bea2b62769e8759d
Instruction ID: 5a76aa39ad72a164c13898811e367209faef9c42d56e10788773325b69595f04
Opcode Fuzzy Hash: 00b1b14ee16a393fc95b7a2159e18b55443e42ebe18f7529bea2b62769e8759d
Instruction Fuzzy Hash: A0617C32F105249FD714DB69CC84EAEB7A3BFC8614F2A8164E40A9B765DF31AC01CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AutoInstall.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
AutoInstall.exe

Function 055D1478 Relevance: 1.6, Strings: 1, Instructions: 382
COMMON

Function 055DDEE0 Relevance: 1.6, Strings: 1, Instructions: 339
COMMON

Function 055D1DA0 Relevance: 1.5, Strings: 1, Instructions: 239
COMMON

Function 09D7592C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 09D767B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
comCOMMON

Function 055D9884 Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Function 055D794C Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 09D77C59 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 09D75F78 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 09D7681C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 09D77FE9 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Function 09D74E88 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Function 09D76DA9 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON