Edit tour

Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name:	Ou0ZT4968y.exe
Analysis ID:	753418
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags:	32exetrojan
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Injects a PE file into a foreign processes

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Ou0ZT4968y.exe (PID: 4204 cmdline: C:\Users\user\Desktop\Ou0ZT4968y.exe MD5: 27B75158DCFEBA6B3419BDBB15397584)

conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 6096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

WerFault.exe (PID: 1216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Perma Link

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx

Source: Ou0ZT4968y.exe, 00000000.00000000.263396775.0000000000D0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011535CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011533A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01155ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01155F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011D1D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01153378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01154C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011513AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011525A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01154462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152838
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01152414

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 01154FC0 appears 58 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 011521BC appears 41 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 01152F36 appears 78 times

Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Source: Ou0ZT4968y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4204

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.spyw.evad.winEXE@5/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Ou0ZT4968y.exe

Static file information: File size 3838464 > 1048576

Source: Ou0ZT4968y.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Ou0ZT4968y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_01152158 push ecx; ret

Source: Ou0ZT4968y.exe

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01151A64 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115302B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_01154827 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_011C2752 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_01155D94 GetProcessHeap,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_01160375 LdrInitializeThunk,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_0115579A SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4CF2008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_011D4A53 GetTimeZoneInformation,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_011558DF GetSystemTimeAsFileTime,

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	311 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	311 Process Injection	1 Input Capture	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ou0ZT4968y.exe	34%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx	0%	Avira URL Cloud	safe
https://studio.youtube.comSAPISIDHASH	0%	Avira URL Cloud	safe

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753418
Start date and time:	2022-11-24 19:46:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Ou0ZT4968y.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.spyw.evad.winEXE@5/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 9.1% (good quality ratio 8.1%) Quality average: 72.1% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 53% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:47:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6333673483266187
Encrypted:	false
SSDEEP:	96:BaF+Bywfq7hooI7Rj6tpXIQcQvc6QcEDMcw3Dz+HbHg6ZAXGng5FMTPSkvPkpXmt:YUEgKHBUZMXwjE/u7sYS274Ithd
MD5:	E3388C180CA99CBB06B4FB511ABED0BC
SHA1:	401193C3EAD21B346B3491F1A75DF4825EB07DD5
SHA-256:	FA7F3F2FB2DC97680A1175BE9FFD628A4153ED3271DB415E8ED66A5FBFB1EAEA
SHA-512:	B157E4A47EE0FF42B9668927CA7CC8A42CFD94C41A643AE555321839BB9E7B8C0C39A3903124C665D88F1ED46009D51A2F0AEF9A98CE034AFCA3F8DE8EE7B075
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.3.8.2.1.6.3.4.1.5.4.2.8.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.3.8.2.1.6.3.4.9.0.4.2.7.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.7.c.c.2.f.2.-.4.a.0.3.-.4.e.6.2.-.9.5.c.7.-.c.3.b.e.b.f.f.c.c.7.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.b.d.5.3.b.8.-.d.e.d.9.-.4.e.2.d.-.8.3.6.1.-.6.1.8.0.4.9.5.0.d.2.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.u.0.Z.T.4.9.6.8.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.c.-.0.0.0.1.-.0.0.1.f.-.b.d.1.9.-.9.2.9.3.8.0.0.0.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.b.5.3.c.e.d.0.4.4.4.c.0.0.7.6.6.b.3.c.0.8.7.f.d.b.8.c.c.b.7.a.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.1.3.5.c.4.f.c.3.f.a.7.e.0.6.b.f.2.9.5.3.7.f.9.c.b.0.2.9.8.c.c.2.f.1.c.1.d.e.!.O.u.0.Z.T.4.9.6.8.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Nov 25 03:47:14 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	19308
Entropy (8bit):	2.034850742153558
Encrypted:	false
SSDEEP:	192:IiBN776wEO8SUgESYjTTf0LwS6VbwiVB:BL8SUgEnWU
MD5:	5F62CFE3289680CE0BA403BFA713F762
SHA1:	11DB652ED2452D5878A852FE8F0AF28F2DD0B0D6
SHA-256:	87A0635B61D9F5236D89B374CE8B4528E9384775DF853C9215EA475A4FD5C0B9
SHA-512:	AB89FE022F7013D25462866CB198D10C1A5560FC6540263887ECCB60EBB88167C0FBD3395B6261E36F4F45A91034A39D4B6AE73122396F28506D39CF4C7DB196
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........:.c............4........... ...<.......D...............T.......8...........T...........H...$B..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......l....:.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8414
Entropy (8bit):	3.7002308627041924
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNisWM6IrhYI6YqLSUdQLgmfZS/4CprR89bigsf9Z2m:RrlsNie6IrhYI6YWSUd0gmfZSWizfj
MD5:	407BD46C9BE20C03543997A842850C90
SHA1:	E94331EC35B224F55AD3CDC8C4AC35204C759047
SHA-256:	F2D534182D6DA418CE4EE1405ED2459A27E5DC606838E5594B499320A9FC465F
SHA-512:	CFDDD29B18A54B66291E3EFE5927F47D35D2EF5DCD49C983776A67CBBED46BAA7AB24206F01A0FB0BBA52B2DD777DFF6AED40B5E1DBABD4C420C9D21C130D799
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.485959521931812
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9g+Wgc8sqYjI/8fm8M4J2mGMFqVDBQj+q8vFmGw++opNYed:uITfCz/grsqYNJW/DBQjKT95pNYed
MD5:	B803416ADBFF7385C0C65C581A799A10
SHA1:	5EA2F9CF5CA50C9CFB3E1259DF56E9797BC1A55F
SHA-256:	3A6B6AD246307AB0A5DBE6C122A1D306280A1174BCE7AFFDE5F492466EE72B78
SHA-512:	C0D9C84E24D508DE7571C3394108A4F771380FC4585F69F3428AE353F2A09F18AE737BB4E0EB5B681A0FB70DA0FCB3A3FA072991C3201CE3D978E1A5BEDD8C07
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1795017" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Ou0ZT4968y.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:E:E
MD5:	3C59DC048E8850243BE8079A5C74D079
SHA1:	472B07B9FCF2C2451E8781E944BF5F77CD8457C8
SHA-256:	6F4B6612125FB3A0DAECD2799DFD6C9C299424FD920F9B308110A2C1FBD8F443
SHA-512:	198DABF4BAC21CF35CDDB48DB0F8B67C56B2BDF63767242AEA7342FE68C0B9DF8D37F3E47A134648E19F1640E158F2E527E636DB122A9143307CF309EFCB85D9
Malicious:	false
Reputation:	low
Preview:	21

FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, EncodePointer, DecodePointer, LCMapStringEx, GetLocaleInfoEx, CompareStringEx, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetFileType, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Target ID:	0
Start time:	19:47:01
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Imagebase:	0x1150000
File size:	3838464 bytes
MD5 hash:	27B75158DCFEBA6B3419BDBB15397584
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exePID: 3520, Parent PID: 4204

General

Target ID:	1
Start time:	19:47:02
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exePID: 6096, Parent PID: 4204

General

Target ID:	2
Start time:	19:47:10
Start date:	24/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0x2c0000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 1216, Parent PID: 4204

General

Target ID:	4
Start time:	19:47:12
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Imagebase:	0xe20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.805543225209493
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ou0ZT4968y.exe
File size:	3838464
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
SHA512:	eb9acc530d9c20dc26a00489572fe5b21075181f5f25d6598ebd5292aef5bbce9c2dc89fac04201ea7ce5c5faec545e44c02e54356ae6dfda7d2f70255a930b3
SSDEEP:	49152:YI2A2+xup+pRTSHO1c6R7heQLqPqW7SdZ8iyTgyfw91m0tfSl8TtVlkQb9Hmv3IS:FneShqwhb/lkHv3IzT
TLSH:	B006CF710A5560CAE4D025F84AFB7772A7ECCBB02BC6C7CB428316A942D35C4A5B5F8D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..AA..B..AG..B..AF..B..AC..B..C..B..PF..B..PA..B..PG..B..PG..B..P@..B.Rich.*B.................PE..L..

Entrypoint:	0x4011b8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x637FB129 [Thu Nov 24 18:00:09 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a142061eae8e8b8626d2b5b074229afd

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x100
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a41cc	0x28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x100
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a6000	0x47f4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb16a0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb15b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a4000	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ef24	0x9f000	False	0.3489721526139937	data	5.808660940243666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa0000	0x19ddc	0x19e00	False	0.3395889945652174	data	4.119191864178727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x2e9bc4	0x2e8000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3a4000	0xbdb	0xc00	False	0.3610026041666667	data	4.663842800729639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x3a5000	0x10e	0x200	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a6000	0x71bd	0x7200	False	0.4772820723684211	data	4.965115122336909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://studio.youtube.comSAPISIDHASH	Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx	Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://studio.youtube.com	Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	false		high
https://studio.youtube.com/reauth	Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ou0ZT4968y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: Ou0ZT4968y.exePID: 4204, Parent PID: 3452

General

Analysis Process: conhost.exePID: 3520, Parent PID: 4204

General

Analysis Process: vbc.exePID: 6096, Parent PID: 4204

General

Windows Analysis Report
Ou0ZT4968y.exe