Edit tour

Windows Analysis Report
Confirming#000092002.exe

Overview

General Information

Sample Name:	Confirming#000092002.exe
Analysis ID:	596169
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
Tags:	exelimeratwarzonerat
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

Confirming#000092002.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\Confirming#000092002.exe" MD5: 24A097B3CD1E774E29E6E3E4F5E6522A)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Source: 1.2.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8
Source: 1.0.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Confirming#000092002.exe, 00000001.00000000.244166012.0000000000FE3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe
Source: Confirming#000092002.exe	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAFA9C

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: String function: 00EA4730 appears 34 times

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Source: Confirming#000092002.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA1B39 __EH_prolog3_catch_GS,__alloca_probe_16,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA14A2 CoCreateInstance,

Source: Confirming#000092002.exe

Static file information: File size 1320960 > 1048576

Source: Confirming#000092002.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400

Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Confirming#000092002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EB01B1 push ecx; ret

Source: C:\Users\user\Desktop\Confirming#000092002.exe

API coverage: 3.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA7B8E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA9DF6 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAB2B8 GetProcessHeap,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4AEF SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA72E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA42DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4775 cpuid

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Confirming#000092002.exe	55%	ReversingLabs	Win32.Trojan.Tnega

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.Confirming#000092002.exe.ea0000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File
1.0.Confirming#000092002.exe.ea0000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	596169
Start date and time:	2022-03-24 11:33:12 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Confirming#000092002.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.9%) Quality average: 77.4% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateThreadEx calls found.
Report size getting too big, too many NtResumeThread calls found.
Report size getting too big, too many NtTerminateThread calls found.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.7481336301363
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Confirming#000092002.exe
File size:	1320960
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
SHA512:	bece11031bd79539c0669a62f3945d43ce0d78d768d242762c81213f471af17dc7a33c04527f1276edb27510334f8aae7b19b2cc2c204af2d560f0612e2f8651
SSDEEP:	6144:aNk8vti3OqUP1bL00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+e:Ak8l4D4pa7+ocZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V\-..=C..=C..=C..V@..=C..VF..=C.pEG..=C.pE@..=C.pEF.#=C..VE..=C..VG..=C..VB..=C..=B..=C..DJ..=C..D...=C..=...=C..DA..=C.Rich.=C

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404718
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6237B381 [Sun Mar 20 23:06:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5ed77736e49da7d22b203d8d8f918a6b

Entrypoint Preview

Instruction
call 00007F006871E223h
jmp 00007F006871DB8Fh
retn 0000h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00405570h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00419008h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [00542724h], 00000000h
sub esp, 24h
or dword ptr [00419010h], 01h
push 0000000Ah
call dword ptr [0041122Ch]
test eax, eax
je 00007F006871DEC2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x174a0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x143000	0xd28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0x12dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16380	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x162c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf9cd	0xfa00	False	0.605875	data	6.61019563742	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x7322	0x7400	False	0.416386045259	data	4.90923942869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x129e78	0x129400	False	0.133981253942	data	2.29316435389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x143000	0xd28	0xe00	False	0.339006696429	data	3.85073462575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0x12dc	0x1400	False	0.7365234375	data	6.39751442919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x1434d0	0xaa	ASCII text	English	United States
TYPELIB	0x1436a0	0x4d0	data	English	United States
RT_DIALOG	0x143580	0x11a	data	English	United States
RT_STRING	0x143b70	0x32	data	English	United States
RT_VERSION	0x1431f0	0x2dc	data	English	United States
RT_MANIFEST	0x143ba8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	DecodePointer, DeleteCriticalSection, GetTickCount, AcquireSRWLockExclusive, AssignProcessToJobObject, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateSemaphoreW, DebugBreak, DeleteFileW, DisconnectNamedPipe, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, EnumSystemLocalesW, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLocalTime, GetLocaleInfoW, GetLongPathNameW, CreateThread, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHandleCount, GetProcessHeaps, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetModuleFileNameA, SizeofResource, VirtualProtect, SetLastError, VirtualAlloc, LoadLibraryExA, LeaveCriticalSection, FindResourceA, Sleep, IsDBCSLeadByte, LoadResource, WideCharToMultiByte, lstrcmpiA, GetConsoleOutputCP, SetFilePointerEx, SetStdHandle, IsValidCodePage, HeapReAlloc, HeapSize, LCMapStringW, WriteFile, VirtualQuery, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RaiseException, CloseHandle, GetLastError, MultiByteToWideChar, GetCurrentThreadId, InitializeCriticalSectionEx, GetModuleFileNameW, RtlUnwind, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, GetProcessHeap, HeapFree, IsDebuggerPresent, OutputDebugStringW, HeapAlloc, WriteConsoleW
USER32.dll	CharNextA, MessageBoxA
ADVAPI32.dll	RegQueryInfoKeyW, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegEnumKeyExA, RegCloseKey
ole32.dll	CoCreateInstance, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc
OLEAUT32.dll	VarUI4FromStr

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	MultiRead
FileVersion	1, 0, 0, 1
ProductName	MultiRead Module
ProductVersion	1, 0, 0, 1
FileDescription	MultiRead Module
OriginalFilename	MultiRead.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	12:34:20
Start date:	24/03/2022
Path:	C:\Users\user\Desktop\Confirming#000092002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Confirming#000092002.exe"
Imagebase:	0xea0000
File size:	1320960 bytes
MD5 hash:	24A097B3CD1E774E29E6E3E4F5E6522A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Confirming#000092002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

System Behavior

Analysis Process: Confirming#000092002.exePID: 6540, Parent PID: 2372

General

Disassembly

Windows Analysis Report
Confirming#000092002.exe