Edit tour

Windows Analysis Report
qOiBFeRq7X.exe

Overview

General Information

Sample Name:	qOiBFeRq7X.exe
Analysis ID:	708237
MD5:	e350cbab3b64e8f7e523619721392d21
SHA1:	719c508f86b5e0a5c97d90dfad8aa30ca5f344f9
SHA256:	b25478bd070ab292272094d6a9793a0e7eba11340b2693258eccd6876196c5e3
Tags:	185-25-204-244ServereasySrlexeMorpheus
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file contains more sections than normal

Potential time zone aware malware

Installs a raw input device (often for capturing keystrokes)

Program does not show much activity (idle)

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

qOiBFeRq7X.exe (PID: 2512 cmdline: "C:\Users\user\Desktop\qOiBFeRq7X.exe" MD5: E350CBAB3B64E8F7E523619721392D21)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: qOiBFeRq7X.exe

Virustotal: Detection: 7%

Perma Link

Source: qOiBFeRq7X.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 185.25.204.244:9090

Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244

Source: qOiBFeRq7X.exe

Binary or memory string: github.com/gonutz/w32/v2.getRawInputData

Source: qOiBFeRq7X.exe

Static PE information: Number of sections : 14 > 10

Source: qOiBFeRq7X.exe	Static PE information: Section: /19 ZLIB complexity 0.9957361985125858
Source: qOiBFeRq7X.exe	Static PE information: Section: /32 ZLIB complexity 0.9980690696022727
Source: qOiBFeRq7X.exe	Static PE information: Section: /65 ZLIB complexity 0.9984093597374848

Source: qOiBFeRq7X.exe

Virustotal: Detection: 7%

Source: qOiBFeRq7X.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qOiBFeRq7X.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qOiBFeRq7X.exe

String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: classification engine

Classification label: mal48.winEXE@2/0@0/1

Source: unknown	Process created: C:\Users\user\Desktop\qOiBFeRq7X.exe "C:\Users\user\Desktop\qOiBFeRq7X.exe"
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01

Source: qOiBFeRq7X.exe

Static file information: File size 4145664 > 1048576

Source: qOiBFeRq7X.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: qOiBFeRq7X.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12f400
Source: qOiBFeRq7X.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x132600

Source: qOiBFeRq7X.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: qOiBFeRq7X.exe	Static PE information: section name: /4
Source: qOiBFeRq7X.exe	Static PE information: section name: /19
Source: qOiBFeRq7X.exe	Static PE information: section name: /32
Source: qOiBFeRq7X.exe	Static PE information: section name: /46
Source: qOiBFeRq7X.exe	Static PE information: section name: /65
Source: qOiBFeRq7X.exe	Static PE information: section name: /78
Source: qOiBFeRq7X.exe	Static PE information: section name: /90
Source: qOiBFeRq7X.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\qOiBFeRq7X.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\qOiBFeRq7X.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: qOiBFeRq7X.exe, 00000000.00000002.259002698.000002D0DA2D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Software Packing	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qOiBFeRq7X.exe	0%	ReversingLabs
qOiBFeRq7X.exe	7%	Virustotal		Browse

Domains and IPs

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.25.204.244	unknown	Italy		60798	ASSERVEREASYIT	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708237
Start date and time:	2022-09-23 07:54:20 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qOiBFeRq7X.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@2/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 100%) Quality average: 75.8% Quality standard deviation: 24.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target qOiBFeRq7X.exe, PID 2512 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASSERVEREASYIT	Bt1MbEJx8u.exe	Get hash	malicious	Browse	185.229.237.73
V4bjKWslit	Get hash	malicious	Browse	185.242.183.188
RFQ2201002 PFK.xlsx	Get hash	malicious	Browse	185.25.206.144
croILhAeSR	Get hash	malicious	Browse	185.242.183.174
WjmYak325l.exe	Get hash	malicious	Browse	185.242.180.182
soramrk.arm	Get hash	malicious	Browse	185.242.183.179
2bb0000.exe	Get hash	malicious	Browse	185.242.180.72
fOMSAB0Sfe.exe	Get hash	malicious	Browse	185.242.180.72
F9TrHRE53b.exe	Get hash	malicious	Browse	185.242.180.213

Instruction
jmp 00007F7424AE83F0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F7424AEC0FEh
dec eax
mov eax, 00000000h
jmp 00007F7424AEC175h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dd000	0x47c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x415000	0x42560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3de000	0x55a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x264180	0x140	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12f2ad	0x12f400	False	0.44155438478977743	data	6.134186837146027	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x131000	0x132548	0x132600	False	0.40453513871889024	data	5.359995809128577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x264000	0x777c8	0x1ba00	False	0.37967512726244346	data	4.447089029507736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0x2dc000	0x127	0x200	False	0.6171875	data	5.097874074212899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x2dd000	0x36838	0x36a00	False	0.9957361985125858	data	7.994836896991751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x314000	0xafee	0xb000	False	0.9980690696022727	data	7.939302201607372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x31f000	0x30	0x200	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x320000	0x665c7	0x66600	False	0.9984093597374848	data	7.997091496748059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x387000	0x42e51	0x43000	False	0.9844478777985075	data	7.992917864787682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x3ca000	0x122d6	0x12400	False	0.974703017979452	data	7.801272414782094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x3dd000	0x47c	0x600	False	0.3333333333333333	data	3.569267435002183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3de000	0x55a8	0x5600	False	0.32639898255813954	data	5.435661439949003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x3e4000	0x30cee	0x30e00	False	0.2462735773657289	data	5.299414661215501	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x415000	0x42560	0x42600	False	0.03361508356873823	data	1.4857977616407179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4150e8	0x42028	data
RT_GROUP_ICON	0x457110	0x14	data
RT_MANIFEST	0x457128	0x434	XML 1.0 document, ASCII text	English	United States

DLL	Import
kernel32.dll	WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 07:55:19.176639080 CEST	49708	9090	192.168.2.6	185.25.204.244
Sep 23, 2022 07:55:19.202127934 CEST	9090	49708	185.25.204.244	192.168.2.6
Sep 23, 2022 07:55:19.708651066 CEST	49708	9090	192.168.2.6	185.25.204.244
Sep 23, 2022 07:55:19.734209061 CEST	9090	49708	185.25.204.244	192.168.2.6
Sep 23, 2022 07:55:20.240000963 CEST	49708	9090	192.168.2.6	185.25.204.244
Sep 23, 2022 07:55:20.265697956 CEST	9090	49708	185.25.204.244	192.168.2.6

Target ID:	0
Start time:	07:55:17
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\qOiBFeRq7X.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qOiBFeRq7X.exe"
Imagebase:	0xf20000
File size:	4145664 bytes
MD5 hash:	E350CBAB3B64E8F7E523619721392D21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	07:55:18
Start date:	23/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.725203166929832
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	qOiBFeRq7X.exe
File size:	4145664
MD5:	e350cbab3b64e8f7e523619721392d21
SHA1:	719c508f86b5e0a5c97d90dfad8aa30ca5f344f9
SHA256:	b25478bd070ab292272094d6a9793a0e7eba11340b2693258eccd6876196c5e3
SHA512:	f17f8a257da81eefa3517642e71f2873c287561a3e8e166f36fd0df82928a60b0f9544f59241af4d0a63457b7ae568de97697ebb9270f8fdc21a8cab3c7e9617
SSDEEP:	49152:LyYds833khrb/TrvO90d7HjmAFd4A64nsfJvdp/nBWg/UljSVplAKsq1wxEUUSbw:z3ITnbZfAg
TLSH:	0E166B4FBC9495A5C5E9D230C96982927630BC451B2037DFEA5CBABB2B337C05E36394
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........8......."..................Y........@...............................E...........`... ............................

Entrypoint:	0x465900
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9cbefe68f395e67356e2a5d8d1b285c0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qOiBFeRq7X.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: qOiBFeRq7X.exePID: 2512, Parent PID: 5692

General

Chronological Activities

Analysis Process: conhost.exePID: 5384, Parent PID: 2512

General

Chronological Activities

Windows Analysis Report
qOiBFeRq7X.exe