Windows Analysis Report
ySJ1HwLs9k

ID:	682138
Product:	CloudBasic
Start time:	05:07:06
Start date:	11.08.2022
Sample:	ySJ1HwLs9k
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	cd76badf66246e0424954805222e4f58
SHA1:	e8c6d68e67d853180d36116e3ba27e4f12346dc2
SHA256:	8cfefc291d9088ef0b3ab7dd59d8ff672e73d333c8d18bd1dff4c7695ae8af83
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ySJ1HwLs9k.exe.log	ASCII text, with CRLF line terminators	69067D181AEA162FFB2C656E1E49A6FC	7D5ADD0D2602B8C7E3F9133552DCE0978301A811	2E3687BF17D5BA1FB36B488AE1BA517180B116D4B4B61D8C4EC7681293DE24A1

AV Detection

Source: ySJ1HwLs9k.exe

Avira: detected

Source: ySJ1HwLs9k.exe	Virustotal: Detection: 53%			Perma Link
Source: ySJ1HwLs9k.exe	ReversingLabs: Detection: 80%

Source: ySJ1HwLs9k.exe

Joe Sandbox ML: detected

Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack

Avira: Label: LNK/Runner.VPGD

Compliance

Source: ySJ1HwLs9k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ySJ1HwLs9k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Yara match	File source: ySJ1HwLs9k.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: ySJ1HwLs9k.exe	String found in binary or memory: http://exmple.com/Uploader.php
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp, ySJ1HwLs9k.exe, 00000000.00000002.246418693.000000000276F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: ySJ1HwLs9k.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comx
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

System Summary

Source: ySJ1HwLs9k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ySJ1HwLs9k.exe, 00000000.00000002.245886288.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ySJ1HwLs9k.exe
Source: ySJ1HwLs9k.exe, 00000000.00000000.237922513.000000000044E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXWorm.exe4 vs ySJ1HwLs9k.exe
Source: ySJ1HwLs9k.exe	Binary or memory string: OriginalFilenameXWorm.exe4 vs ySJ1HwLs9k.exe

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Code function: 0_2_00007FFC017C5412		0_2_00007FFC017C5412
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Code function: 0_2_00007FFC017C4666		0_2_00007FFC017C4666
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Code function: 0_2_00007FFC017C0DCB		0_2_00007FFC017C0DCB

Source: ySJ1HwLs9k.exe	Virustotal: Detection: 53%
Source: ySJ1HwLs9k.exe	ReversingLabs: Detection: 80%

Source: ySJ1HwLs9k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ySJ1HwLs9k.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Mutant created: \Sessions\1\BaseNamedObjects\DfPMuDiGLmV7f2GT

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ySJ1HwLs9k.exe.log

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/1@1/1

Source: ySJ1HwLs9k.exe, Stub/Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ySJ1HwLs9k.exe, Stub/Helper.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ySJ1HwLs9k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ySJ1HwLs9k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: ySJ1HwLs9k.exe, Stub/Helper.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: ySJ1HwLs9k.exe	Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING
Source: ySJ1HwLs9k.exe, 00000000.00000002.246279336.00000000026DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe TID: 5440	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe TID: 4012	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ySJ1HwLs9k.exe	Binary or memory string: vmware
Source: ySJ1HwLs9k.exe	Binary or memory string: DetectVirtualMachine
Source: ySJ1HwLs9k.exe, 00000000.00000002.246553755.000000001B4E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Code function: 0_2_00007FFC017C649D CheckRemoteDebuggerPresent,

0_2_00007FFC017C649D

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Queries volume information: C:\Users\user\Desktop\ySJ1HwLs9k.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior