Edit tour

Windows Analysis Report
555.exe

Overview

General Information

Sample Name:	555.exe
Analysis ID:	594633
MD5:	ed37ebbe1746dd0d566c8c4769655e0b
SHA1:	0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
SHA256:	b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
Tags:	ArkeiStealerexeVidar
Infos:

Detection

Oski Stealer Vidar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Oski Stealer

Antivirus / Scanner detection for submitted sample

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Injects a PE file into a foreign processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to enumerate network shares

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Found evaded block containing many API calls

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

555.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\555.exe" MD5: ED37EBBE1746DD0D566C8C4769655E0B)

555.exe (PID: 6444 cmdline: C:\Users\user\Desktop\555.exe MD5: ED37EBBE1746DD0D566C8C4769655E0B)

WerFault.exe (PID: 6864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Vidar	Vidar Payload	kevoreilly	0x1056:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x75b10:$wallet: walle.dat
Process Memory Space: 555.exe PID: 6192	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: 555.exe PID: 6192	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.555.exe.400000.4.raw.unpack	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
3.0.555.exe.400000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.0.555.exe.400000.4.raw.unpack	Vidar	Vidar Payload	kevoreilly	0x1056:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x75b10:$wallet: walle.dat
3.2.555.exe.400000.0.unpack	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
3.2.555.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.555.exe.400000.0.unpack	Vidar	Vidar Payload	kevoreilly	0x456:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x74310:$wallet: walle.dat
Click to see the 1 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Users\user\Desktop\555.exe, CommandLine: C:\Users\user\Desktop\555.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\555.exe, NewProcessName: C:\Users\user\Desktop\555.exe, OriginalFileName: C:\Users\user\Desktop\555.exe, ParentCommandLine: "C:\Users\user\Desktop\555.exe" , ParentImage: C:\Users\user\Desktop\555.exe, ParentProcessId: 6192, ProcessCommandLine: C:\Users\user\Desktop\555.exe, ProcessId: 6444

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 555.exe	Virustotal: Detection: 71%	Perma Link
Source: 555.exe	Metadefender: Detection: 41%	Perma Link
Source: 555.exe	ReversingLabs: Detection: 78%

Antivirus / Scanner detection for submitted sample

Source: 555.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://dersed.com/freebl3.dll

Virustotal: Detection: 5%

Perma Link

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040A053 _memset,CryptStringToBinaryA,_memmove,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004108CF __EH_prolog3,_malloc,_memmove,CryptUnprotectData,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040D053 __EH_prolog3,_malloc,_memmove,CryptUnprotectData,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040D3A5 __EH_prolog3,_malloc,_memmove,CryptUnprotectData,

Source: 555.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret,

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

Source: unknown

DNS traffic detected: query: dersed.com replaycode: Name error (3)

Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/288
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/freebl3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/freebl3.dllyD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/mozglue.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/mozglue.dllkD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/msvcp140.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/msvcp140.dllGD
Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dllcom/freebl3.dll
Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dllv
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllLD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllUD
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllmb
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dll
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dllGc
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dll_i
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dllbg
Source: 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/line/

Source: unknown

DNS traffic detected: queries for: dersed.com

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Vidar Payload Author: kevoreilly
Source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vidar Payload Author: kevoreilly
Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Vidar Payload Author: kevoreilly

Source: 555.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload

Source: C:\Users\user\Desktop\555.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00408B20
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0040AC10
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00407DF0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00438147
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00423130
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00430308
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0043943F
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004464D0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0043751A
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00447649
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004306F0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042F703
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00405900
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00437A6B
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00446AAD
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042FB98
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00445DBF
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042FF36
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00436FC9
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00432FF6
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045604F
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046E069
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046A18D
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046A575
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0044C530
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046E5BA
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00456AB1
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046EB0B
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00454B1E
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0044AB25
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00426E19
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00438FBA
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046F1E7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00459280
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469588
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004157E1
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004477E7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469A1D
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00429DA3
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469DBB
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0043FE0C
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00449EE7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046FFB0

Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00458B40 appears 59 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004100F0 appears 57 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004150F3 appears 37 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00404150 appears 70 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0040143A appears 59 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004220AE appears 103 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00422493 appears 44 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0042A1F0 appears 49 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004256B0 appears 85 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00425719 appears 64 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004223BB appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00459097 appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004032D8 appears 33 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0042207B appears 67 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00421ED1 appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0045F610 appears 59 times

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_04773914 NtQueryInformationProcess,

Source: 555.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 555.exe	Virustotal: Detection: 71%
Source: 555.exe	Metadefender: Detection: 41%
Source: 555.exe	ReversingLabs: Detection: 78%

Source: 555.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\555.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\555.exe "C:\Users\user\Desktop\555.exe"
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe

Source: C:\Users\user\Desktop\555.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000031A-0000-0000-C000-000000000046}\InprocServer32

Source: C:\Users\user\Desktop\555.exe

File created: C:\Users\user\AppData\Local\Temp\D601.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@4/4@7/1

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004223F4 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0042226B GetLastError,FormatMessageW,FormatMessageA,LocalFree,_free,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040A1D5 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\555.exe	Mutant created: \Sessions\1\BaseNamedObjects\d06ed635-68f6-4e9a-955c-4899f5f57b9a{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444

Source: C:\Users\user\Desktop\555.exe

Source: C:\Users\user\Desktop\555.exe	Command line argument: D"E
Source: C:\Users\user\Desktop\555.exe	Command line argument: D"E
Source: C:\Users\user\Desktop\555.exe	Command line argument: Win
Source: C:\Users\user\Desktop\555.exe	Command line argument: HOMEDRIVE
Source: C:\Users\user\Desktop\555.exe	Command line argument: HOMEPATH
Source: C:\Users\user\Desktop\555.exe	Command line argument: Generator
Source: C:\Users\user\Desktop\555.exe	Command line argument: Win
Source: C:\Users\user\Desktop\555.exe	Command line argument: kk-KZ
Source: C:\Users\user\Desktop\555.exe	Command line argument: be-BY
Source: C:\Users\user\Desktop\555.exe	Command line argument: uz-UZ
Source: C:\Users\user\Desktop\555.exe	Command line argument: ru-RU
Source: C:\Users\user\Desktop\555.exe	Command line argument: az-AZ

Source: C:\Users\user\Desktop\555.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\555.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 555.exe

Static file information: File size 1304576 > 1048576

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042A235 push ecx; ret
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042574F push ecx; ret
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00458C18 push ecx; ret
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045F655 push ecx; ret

Source: C:\Users\user\Desktop\555.exe

Source: 555.exe

Static PE information: real checksum: 0x13f018 should be: 0x14b34b

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040ADF5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,__wgetenv,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\555.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\555.exe

Event Logs and Signature results: Application crash and keyboard check

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004164C4 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00416512h

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00450D1B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00450E46h

Source: C:\Users\user\Desktop\555.exe

Window / User API: foregroundWindowGot 453

Source: C:\Users\user\Desktop\555.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\555.exe

API coverage: 9.9 %

Source: C:\Users\user\Desktop\555.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004274F9 GetSystemInfo,

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node

Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00439101 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_04771560 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\555.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\555.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004287EA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042CF16 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00458B31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00466FD1 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045F80E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\555.exe

Memory written: C:\Users\user\Desktop\555.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\555.exe

Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe

Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
Source: C:\Users\user\Desktop\555.exe	Code function: ____lc_handle_func,GetLocaleInfoW,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\555.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\555.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\555.exe	Code function: __EH_prolog3,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memset,LocalFree,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
Source: C:\Users\user\Desktop\555.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\555.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\555.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_0044D58B __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040A13F _memset,GetVersionExA,

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00450776 GetUserNameA,

Stealing of Sensitive Information

Yara detected Oski Stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match

File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Remote Access Functionality

Yara detected Oski Stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00408870 CoInitialize,CreateBindCtx,MkParseDisplayName,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	111 Process Injection	LSASS Memory	12 System Time Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Account Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	2 File and Directory Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	26 System Information Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
555.exe	71%	Virustotal		Browse
555.exe	41%	Metadefender		Browse
555.exe	79%	ReversingLabs	Win32.Trojan.Graftor
555.exe	100%	Avira	HEUR/AGEN.1206114

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1206114	Download File
3.2.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1210209	Download File
0.0.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1206114	Download File
0.2.555.exe.712ed8.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
dersed.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://dersed.com/freebl3.dll	5%	Virustotal		Browse
http://dersed.com/freebl3.dll	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dllv	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dllbg	0%	Avira URL Cloud	safe
http://dersed.com/288	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllUD	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dll_i	0%	Avira URL Cloud	safe
http://dersed.com/msvcp140.dllGD	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllmb	0%	Avira URL Cloud	safe
http://dersed.com/msvcp140.dll	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dll	0%	Avira URL Cloud	safe
http://dersed.com/mozglue.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllLD	0%	Avira URL Cloud	safe
http://dersed.com/freebl3.dllyD	0%	Avira URL Cloud	safe
http://dersed.com/mozglue.dllkD	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dllcom/freebl3.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dll	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dllGc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dersed.com	unknown	unknown	false	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://dersed.com/freebl3.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dllv	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dllbg	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/288	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dll	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllUD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dll_i	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/msvcp140.dllGD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllmb	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/msvcp140.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dll	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/mozglue.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllLD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/freebl3.dllyD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://dersed.com/mozglue.dllkD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dllcom/freebl3.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/	555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	false		high
http://dersed.com/softokn3.dll	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dllGc	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	594633
Start date and time:	2022-03-22 22:51:33 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	555.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@4/4@7/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 96% (good quality ratio 85.8%) Quality average: 70.5% Quality standard deviation: 33.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.20, 20.54.110.249
Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:53:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_555.exe_73a2317c9b18c06fb4572ea77cd525ee3f28dbd_69550887_1ab655c1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9430986111528993
Encrypted:	false
SSDEEP:	192:M2AFk0lk4YHBUZMXojAK3Yw/u7shS274Itx:QPlk9BUZMXojL/u7shX4Itx
MD5:	9B8FC50DD0D29F54F499621D50C8AD62
SHA1:	1273BFD6929FB2B4CA4874A792AE69816B1E2F11
SHA-256:	9655AA68E28BDC15B2CBB4DAA13850F1A086D82D45FF56F78C3FEEE8A0CBF803
SHA-512:	BFC071EAB661547CB0BD88D00ECBBEF817CF30CF4A9ACBCAEFF1BFB1569075424335948962E71C07F5360BC53316DCF1687D9CF46278F62EC1F89128B49EAE95
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.4.6.3.1.8.9.2.9.4.5.4.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.4.6.3.1.9.4.0.4.4.5.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.b.1.4.f.5.b.-.8.2.8.0.-.4.5.a.e.-.b.e.e.9.-.7.5.f.a.d.4.b.7.9.6.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.2.3.d.f.d.7.-.1.7.0.6.-.4.7.b.5.-.9.3.4.9.-.d.c.5.f.9.a.f.9.a.e.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.5.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.2.c.-.0.0.0.1.-.0.0.1.c.-.7.9.3.2.-.0.8.9.4.3.f.3.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.d.f.1.3.d.4.1.7.b.e.7.e.f.d.1.d.6.5.0.9.b.f.e.9.4.7.4.8.5.3.9.0.0.0.0.0.9.0.4.!.0.0.0.0.0.a.5.5.9.e.b.f.6.a.b.1.c.d.f.2.9.2.c.7.9.a.a.c.5.a.c.2.0.c.2.3.6.d.9.7.5.e.b.7.!.5.5.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.0.9././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D28.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Mar 22 22:53:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	92494
Entropy (8bit):	1.9553236387916726
Encrypted:	false
SSDEEP:	384:HvVcEVMCcx960PIEQUnVT9sEQOeYBF+D+2IYBO:HyChQI5gVKE4YBF+x6
MD5:	87D9B100A994FF000B5C06267BE0226D
SHA1:	46D41AFA9086777230CB38F7F957024E34F57815
SHA-256:	258E97FE2FC99EE493D3F78937B42C864BBA2654D5348A464FC129E83F464970
SHA-512:	F4CE8D98D9AF8FAF155BDBC3BB62E35D74B558465F79D520ACB009747F669CC50CEE20772B0DC326E96AA5DA322DAC4808831FAA4C8598D48AF45EADC96EDA73
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......WS:b.........................................D..........T.......8...........T...........x....:...........................................................................................U...........B...... ......GenuineIntelW...........T.......,...KS:b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER497D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	3.688431082756376
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWN6Irwt6Yei6DgmfhhS8+pr589bWTsf0Oym:RrlsNi06IrS6Yj6DgmfnSGW4fv
MD5:	CDE05209CC74B1005E7AD76327AA3173
SHA1:	651DF6AA11E2B4F6CDF1E21A1228A0FF68CD0743
SHA-256:	ABB9D8C4C33EEC5B9D10B346747AE37C70F8F58CCDC7D12984A467C0A4AE4531
SHA-512:	19AB7546E950373EC778423E45C2D08718D9C5525182D14F42CC2F2082A10247515AE4728541736B8453A7B3A277DAA4602BC77E0B15C60C65C9D3F9CE33C0E9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E21.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4522
Entropy (8bit):	4.423325556237254
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI9NJWgc8sqYjK8fm8M4J61RF3I+q8mbwhHXSrxd:uITfia4grsqYrJ69I/wxSrxd
MD5:	68930925340EA9386F5C57115BC56C4A
SHA1:	21FFD5E3BDD640870D896B69AB35C588364B5611
SHA-256:	F6AA5BD71759921218656247A52D2CE89A6BA9F53F4AFB7BBB1A79E45A369E5D
SHA-512:	7E78820E9C2427F020176D43CFBCF73E6785E7E67E08F79EB317E69493D27D63E2F2FE8915B02117097B95A46F350C56177A81DBDA067472424BBC72CD7663E5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1439043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.692192927991023
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	555.exe
File size:	1304576
MD5:	ed37ebbe1746dd0d566c8c4769655e0b
SHA1:	0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
SHA256:	b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
SHA512:	aed30ae2e22ded5374f56062cdbcc2a72edea1d727e7fd0624e627f363d18787d5ce4334066b76b23d10e0a2c0169f06e5d6a8f05037d0943bfea110ee805060
SSDEEP:	24576:atLyuIJLGWVpPq48nuzldzB2sZL7kHNWDzBHc6ewxl:KLgFGYq48nupdzB2sp7kHNW51eE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.....H...H...H..iH...H..]Hc..H.`tH...H.`dH...H...H...H..\H...H..mH...H..jH...HRich...H........................PE..L...t.q]...

File Icon


Icon Hash:	18f0f8d2f2e4f206

Static PE Info

General

Entrypoint:	0x424e16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5D710174 [Thu Sep 5 12:37:08 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5f3146513f84438aa6d693baf35ebf34

Entrypoint Preview

Instruction
call 00007FAC08A60E69h
jmp 00007FAC08A5841Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007FAC08A585A4h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007FAC08A58599h
push eax
call 00007FAC08A56352h
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [004608E0h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx
xor ebx, ebx
push esi
push edi
cmp edx, ebx
jle 00007FAC08A585B1h
mov eax, dword ptr [ebp+14h]
mov ecx, edx
dec ecx
cmp byte ptr [eax], bl
je 00007FAC08A5859Ah
inc eax
cmp ecx, ebx
jne 00007FAC08A58588h
or ecx, FFFFFFFFh
mov eax, edx
sub eax, ecx
dec eax
cmp eax, edx
jnl 00007FAC08A58593h
inc eax
mov dword ptr [ebp+18h], eax
mov dword ptr [ebp-08h], ebx
cmp dword ptr [ebp+24h], ebx
jne 00007FAC08A5859Dh
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+04h]
mov dword ptr [ebp+24h], eax
mov esi, dword ptr [00451204h]
xor eax, eax
cmp dword ptr [ebp+28h], ebx
push ebx
push ebx
push dword ptr [ebp+18h]
setne al
push dword ptr [ebp+14h]
lea eax, dword ptr [00000001h+eax*8]
push eax
push dword ptr [ebp+24h]
call esi
mov edi, eax
mov dword ptr [ebp-10h], edi
cmp edi, ebx
jne 00007FAC08A58599h
xor eax, eax
jmp 00007FAC08A586E7h
jle 00007FAC08A585D5h
push FFFFFFE0h
xor edx, edx
pop eax
div edi
cmp eax, 02h
jc 00007FAC08A585C9h
lea eax, dword ptr [edi+edi+08h]
cmp eax, 00000400h
jnbe 00007FAC08A585A5h
call 00007FAC08A58644h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5e954	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0xdd458	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57690	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f7d9	0x4f800	False	0.48689010908	data	6.55171601636	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0xeca4	0xee00	False	0.418723739496	data	5.42402682187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x60000	0x58c4	0x2800	False	0.26943359375	data	4.43475879322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0xdd458	0xdd600	False	0.962993188876	data	7.93995191617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX	0x6673c	0x10218	data	English	United States
CUSTOM	0x76954	0x36f3e	data	English	United States
RCDATA	0xad894	0x894ac	data	English	United States
RT_ICON	0x136d40	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13af68	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13d510	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13e5b8	0x988	data	English	United States
RT_ICON	0x13ef40	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x13f3a8	0x70	data	English	United States
RT_DIALOG	0x13f418	0x224	data	English	United States
RT_DIALOG	0x13f63c	0x390	data	English	United States
RT_DIALOG	0x13f9cc	0x172	data	English	United States
RT_DIALOG	0x13fb40	0xe2	data	English	United States
RT_DIALOG	0x13fc24	0xf8	data	English	United States
RT_DIALOG	0x13fd1c	0x24c	data	English	United States
RT_STRING	0x13ff68	0xb98	data	English	United States
RT_STRING	0x140b00	0x2a	data	English	United States
RT_STRING	0x140b2c	0x1a4	data	English	United States
RT_STRING	0x140cd0	0xda	data	English	United States
RT_STRING	0x140dac	0x384	data	English	United States
RT_STRING	0x141130	0x38c	data	English	United States
RT_STRING	0x1414bc	0x140	data	English	United States
RT_STRING	0x1415fc	0x71c	data	English	United States
RT_STRING	0x141d18	0x638	data	English	United States
RT_STRING	0x142350	0xe8	data	English	United States
RT_STRING	0x142438	0x4a8	data	English	United States
RT_STRING	0x1428e0	0x38c	data	English	United States
RT_STRING	0x142c6c	0x62	data	English	United States
RT_STRING	0x142cd0	0x13c	data	English	United States
RT_STRING	0x142e0c	0x3a	data	English	United States
RT_GROUP_ICON	0x142e48	0x4c	data	English	United States
RT_VERSION	0x142e94	0x338	data	English	United States
RT_MANIFEST	0x1431cc	0x28a	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTimeFormatA, GetProcessHeap, SetEndOfFile, CreateFileW, SetEnvironmentVariableA, CompareStringW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, HeapReAlloc, GetLocaleInfoW, GetStringTypeW, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, GetDateFormatA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetModuleFileNameW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetFileType, InitializeCriticalSectionAndSpinCount, lstrlenW, SetHandleCount, HeapSize, IsValidCodePage, GetOEMCP, GetACP, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetTempPathA, GetTempFileNameA, GetFinalPathNameByHandleA, GetLastError, CreateFileA, GetFileSize, SetFilePointer, ReadFile, CloseHandle, lstrcpyW, GetCurrentDirectoryW, VirtualQuery, QueryPerformanceCounter, lstrcpyA, WideCharToMultiByte, MulDiv, GlobalAlloc, ExitProcess, SizeofResource, LoadResource, LockResource, GetCurrentThreadId, SetLastError, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, HeapCreate, IsProcessorFeaturePresent, HeapAlloc, GetCPInfo, LCMapStringW, GetTimeZoneInformation, GetStartupInfoW, HeapSetInformation, GetCommandLineA, RtlUnwind, RaiseException, FindResourceA, LoadLibraryA, HeapFree, DecodePointer, EncodePointer, GetProcAddress, WriteFile, lstrcatA, GetLocalTime, GetTimeFormatW, GetDateFormatW, GetStdHandle, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, Sleep, MultiByteToWideChar, InterlockedExchange, InterlockedCompareExchange, InterlockedDecrement, InterlockedIncrement
USER32.dll	SendMessageW, PostQuitMessage, DefWindowProcA, LoadBitmapA, DefDlgProcA, ClientToScreen, SendMessageA, CreateWindowExA, InsertMenuItemA, ShowWindow, HideCaret, WindowFromPoint, EnableWindow, UnionRect, SetRect, SetActiveWindow, GetWindowLongA, GetForegroundWindow, IsZoomed, SetWindowPos, GetSystemMetrics, GetWindowRect, EnumChildWindows, PostMessageA, RegisterClassA, SendDlgItemMessageA, GetParent, EndPaint, DrawTextA, GetClientRect, BeginPaint, GetDlgItem, LoadIconA, LoadCursorA, SetWindowLongA, CreateMenu, AppendMenuA, UpdateWindow, GetMessageA, TranslateMessage, DispatchMessageA, IsWinEventHookInstalled, GetActiveWindow
GDI32.dll	CreateFontA, SelectObject, DeleteObject, SetBkMode, CreateFontW, CreateFontIndirectA, TextOutA, StartPage, GetTextMetricsW, GetTextExtentExPointW, ExtTextOutW, EndPage, SetStretchBltMode, GetStockObject
COMDLG32.dll	CommDlgExtendedError, GetSaveFileNameA, ChooseFontA
ADVAPI32.dll	LsaRemoveAccountRights, LsaAddAccountRights
ole32.dll	CoInitialize, CreateBindCtx, MkParseDisplayName
WS2_32.dll	WSACreateEvent, WSAWaitForMultipleEvents
NETAPI32.dll	NetApiBufferFree, NetUserEnum
WINMM.dll	midiInOpen, midiInGetDevCapsA, PlaySoundA, midiInStart, mmioDescend, mmioSeek, midiInClose, mmioClose, midiInGetNumDevs
CRYPT32.dll	CertEnumPhysicalStore
SHLWAPI.dll	SHAutoComplete, PathCompactPathA
COMCTL32.dll	ImageList_GetImageCount, ImageList_LoadImageA, ImageList_Add, ImageList_DragMove, _TrackMouseEvent, ImageList_Create
gdiplus.dll	GdiplusStartup, GdipCloneImage, GdipFree, GdipDeleteGraphics, GdipLoadImageFromFile, GdipDrawImageRectRectI, GdipAlloc, GdipDisposeImage, GdipGetImageWidth, GdipGetImageHeight, GdipCreateFromHDC, GdipSetInterpolationMode
UxTheme.dll	OpenThemeData

Version Infos

Description	Data
LegalCopyright	Bitdefender LLC Copyright . All rights reserved.
CompanyName	Bitdefender LLC
FileDescription	Selfssl Progresses Fatherbard New
Comments	Selfssl Progresses Fatherbard New
ProductName	Cnnmgrestablishcnnectin283715
ProductVersion	8.2.5.127
PrivateBuild	8.2.5.127
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2022 23:53:04.067533016 CET	60758	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.095592022 CET	53	60758	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.115511894 CET	60647	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.136682034 CET	53	60647	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.145426989 CET	64909	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.171823978 CET	53	64909	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.218432903 CET	60381	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.240736008 CET	53	60381	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.260018110 CET	56509	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.281152964 CET	53	56509	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.305391073 CET	54069	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.324481010 CET	53	54069	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.335752964 CET	57747	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.354562044 CET	53	57747	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 22, 2022 23:53:04.067533016 CET	192.168.2.4	8.8.8.8	0x8694	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.115511894 CET	192.168.2.4	8.8.8.8	0xeb1c	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.145426989 CET	192.168.2.4	8.8.8.8	0x99f3	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.218432903 CET	192.168.2.4	8.8.8.8	0x774b	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.260018110 CET	192.168.2.4	8.8.8.8	0x764c	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.305391073 CET	192.168.2.4	8.8.8.8	0x2f6	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.335752964 CET	192.168.2.4	8.8.8.8	0x1447	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 22, 2022 23:53:04.095592022 CET	8.8.8.8	192.168.2.4	0x8694	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.136682034 CET	8.8.8.8	192.168.2.4	0xeb1c	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.171823978 CET	8.8.8.8	192.168.2.4	0x99f3	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.240736008 CET	8.8.8.8	192.168.2.4	0x774b	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.281152964 CET	8.8.8.8	192.168.2.4	0x764c	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.324481010 CET	8.8.8.8	192.168.2.4	0x2f6	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.354562044 CET	8.8.8.8	192.168.2.4	0x1447	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	23:52:41
Start date:	22/03/2022
Path:	C:\Users\user\Desktop\555.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\555.exe"
Imagebase:	0x400000
File size:	1304576 bytes
MD5 hash:	ED37EBBE1746DD0D566C8C4769655E0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: 555.exePID: 6444, Parent PID: 6192

General

Target ID:	3
Start time:	23:52:59
Start date:	22/03/2022
Path:	C:\Users\user\Desktop\555.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\555.exe
Imagebase:	0x400000
File size:	1304576 bytes
MD5 hash:	ED37EBBE1746DD0D566C8C4769655E0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Vidar, Description: Vidar Payload, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: WerFault.exePID: 6864, Parent PID: 6444

General

Target ID:	11
Start time:	23:53:07
Start date:	22/03/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228
Imagebase:	0xb60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 555.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_555.exe_73a2317c9b18c06fb4572ea77cd525ee3f28dbd_69550887_1ab655c1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D28.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER497D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E21.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Windows Analysis Report
555.exe