Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name:Ou0ZT4968y.exe
Analysis ID:753418
MD5:27b75158dcfeba6b3419bdbb15397584
SHA1:8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags:32exetrojan
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Allocates memory in foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Injects a PE file into a foreign processes
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • Ou0ZT4968y.exe (PID: 4204 cmdline: C:\Users\user\Desktop\Ou0ZT4968y.exe MD5: 27B75158DCFEBA6B3419BDBB15397584)
    • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 6096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • WerFault.exe (PID: 1216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ou0ZT4968y.exeVirustotal: Detection: 34%Perma Link
Source: Ou0ZT4968y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Ou0ZT4968y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exeString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
Source: Ou0ZT4968y.exe, 00000000.00000000.263396775.0000000000D0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Ou0ZT4968y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011535CB0_2_011535CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115510A0_2_0115510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011524140_2_01152414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115510F0_2_0115510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01151E2E0_2_01151E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011522700_2_01152270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011533A50_2_011533A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115278E0_2_0115278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01155ECF0_2_01155ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01155F740_2_01155F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011D1D690_2_011D1D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01151E1A0_2_01151E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01151A730_2_01151A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011511540_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011511540_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01152DBA0_2_01152DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011533780_2_01153378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01154C0F0_2_01154C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011513AC0_2_011513AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011525A40_2_011525A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011544620_2_01154462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01152EA00_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01152EA00_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011528380_2_01152838
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011524140_2_01152414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 01154FC0 appears 58 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 011521BC appears 41 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 01152F36 appears 78 times
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0
Source: Ou0ZT4968y.exeVirustotal: Detection: 34%
Source: Ou0ZT4968y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4204
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmpJump to behavior
Source: classification engineClassification label: mal64.spyw.evad.winEXE@5/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Ou0ZT4968y.exeStatic file information: File size 3838464 > 1048576
Source: Ou0ZT4968y.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000
Source: Ou0ZT4968y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01152158 push ecx; ret 0_2_011886D3
Source: Ou0ZT4968y.exeStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress,0_2_01160C7A
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeAPI coverage: 3.8 %
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0115384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01151A64 mov eax, dword ptr fs:[00000030h]0_2_01151A64
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115302B mov eax, dword ptr fs:[00000030h]0_2_0115302B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01154827 mov eax, dword ptr fs:[00000030h]0_2_01154827
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011C2752 mov eax, dword ptr fs:[00000030h]0_2_011C2752
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress,0_2_01160C7A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01155D94 GetProcessHeap,0_2_01155D94
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_01160375 LdrInitializeThunk,0_2_01160375
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0115384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_0115579A SetUnhandledExceptionFilter,0_2_0115579A

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4CF2008Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetLocaleInfoW,0_2_0115282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetLocaleInfoW,0_2_0115282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: EnumSystemLocalesW,0_2_011CB629
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_01153431
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011D4A53 GetTimeZoneInformation,0_2_011D4A53
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_011558DF GetSystemTimeAsFileTime,0_2_011558DF

Stealing of Sensitive Information

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API
Path Interception311
Process Injection
1
Virtualization/Sandbox Evasion
1
OS Credential Dumping
2
System Time Discovery
Remote Services1
Input Capture
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts311
Process Injection
1
Input Capture
3
Security Software Discovery
Remote Desktop Protocol1
Archive Collected Data
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin Shares1
Data from Local System
Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS1
Remote System Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753418 Sample: Ou0ZT4968y.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 6 Ou0ZT4968y.exe 1 2->6         started        process3 signatures4 21 Writes to foreign memory regions 6->21 23 Allocates memory in foreign processes 6->23 25 Injects a PE file into a foreign processes 6->25 9 vbc.exe 6->9         started        12 WerFault.exe 24 9 6->12         started        15 conhost.exe 6->15         started        process5 file6 27 Tries to harvest and steal browser information (history, passwords, etc) 9->27 17 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->17 dropped signatures7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.