Edit tour

Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name:	Ou0ZT4968y.exe
Analysis ID:	753418
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags:	32exetrojan
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Injects a PE file into a foreign processes

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Ou0ZT4968y.exe (PID: 1308 cmdline: C:\Users\user\Desktop\Ou0ZT4968y.exe MD5: 27B75158DCFEBA6B3419BDBB15397584)

conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 60 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

WerFault.exe (PID: 4972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Perma Link

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B35CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B33A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B5ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B5F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_00A31D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B3378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B13AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B25A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2838

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B2F36 appears 93 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B21BC appears 45 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B4FC0 appears 70 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 00A2BD8D appears 31 times

Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Source: Ou0ZT4968y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.spyw.evad.winEXE@5/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Ou0ZT4968y.exe

Static file information: File size 3838464 > 1048576

Source: Ou0ZT4968y.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Ou0ZT4968y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2158 push ecx; ret
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009E71C7 push ecx; ret

Source: Ou0ZT4968y.exe

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B302B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4827 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1A64 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_00A22752 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009B5D94 GetProcessHeap,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0375 LdrInitializeThunk,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B579A SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4955008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoEx,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: EnumSystemLocalesW,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009E86D9 cpuid

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_00A34A53 GetTimeZoneInformation,

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009E8204 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	311 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	311 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ou0ZT4968y.exe	34%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx	0%	Avira URL Cloud	safe
https://studio.youtube.comSAPISIDHASH	0%	Avira URL Cloud	safe

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753418
Start date and time:	2022-11-24 19:53:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Ou0ZT4968y.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.spyw.evad.winEXE@5/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 35% (good quality ratio 32.7%) Quality average: 75.9% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 58% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_c69ec5e350e75532f4a4b55ffe3a71c9ab2f95_dac8cab9_132de5cf\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6329695668595557
Encrypted:	false
SSDEEP:	96:l4IFvMywf97hooI7RC6tpXIQcQvc6QcEDMcw3Dj+HbHg6ZAXGng5FMTPSkvPkpXf:ltBgcHBUZMXAjE/u7sYS274ItRd
MD5:	7AC4342A1B85811ABAC24B76E45FE49A
SHA1:	A8499CB46EECF8D8AC21AFDA6BE18035E241CB90
SHA-256:	8DCCCA9025CAD3C72E81F4F21E14D53A4E166B49F3888234D9447B8781ED2894
SHA-512:	2C6E21CBC1F723FB91C7568E4ECF3D84847CB06496A9A4ED7F248B246AA2767F717BA3F9CD133DD98E206D0B0542F21CDA8A14E4523DC8E6E38E2DF54409EC6B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.3.7.8.9.6.5.4.1.8.9.4.3.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.3.7.8.9.6.5.5.8.9.2.5.5.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.e.3.a.d.b.6.-.1.2.9.4.-.4.1.0.c.-.9.7.2.9.-.d.b.c.c.4.b.7.9.7.c.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.a.6.1.a.a.2.-.9.c.7.2.-.4.0.c.c.-.a.6.a.1.-.d.3.2.3.3.6.d.b.8.2.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.u.0.Z.T.4.9.6.8.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.1.c.-.0.0.0.1.-.0.0.1.f.-.5.f.a.d.-.c.8.1.d.3.6.0.0.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.b.5.3.c.e.d.0.4.4.4.c.0.0.7.6.6.b.3.c.0.8.7.f.d.b.8.c.c.b.7.a.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.1.3.5.c.4.f.c.3.f.a.7.e.0.6.b.f.2.9.5.3.7.f.9.c.b.0.2.9.8.c.c.2.f.1.c.1.d.e.!.O.u.0.Z.T.4.9.6.8.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Nov 24 18:54:14 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	19652
Entropy (8bit):	2.034014938714263
Encrypted:	false
SSDEEP:	192:qlilum2KphOROi+6pLPZzJzd6C/EDfYv:snE0PZzJzdz
MD5:	D6CBDA626C8A5B9F30BF23C4A5174EAB
SHA1:	95C4B8E3290F8694C9FC7CC7A5501DB590A21579
SHA-256:	08521C7778E80CF397D6E9639DB800C4E9FDDC844263BAC6FC2418CC22A5F2EA
SHA-512:	E999E9DE6EEEC83F656EE6F8CE033773B25CC26C1806FE9A47056E149750B5EF4F8C592C9FCF28BB7C3598EDC8322065E22C207688A940B62F48AF30C9327569
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........c............4........... ...<.......D...............T.......8...........T...........H...\|C..........\...........H....................................................................U...........B..............GenuineIntelW...........T.............c.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD28.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8420
Entropy (8bit):	3.6974458638675656
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNili6Idw/6YekSU5lgmfOSZGkV+prA89brrsfBZm:RrlsNiQ6Idw/6Y9SU5lgmfOSZGNrwfu
MD5:	676E041CAED641FAA1D9F752A56D126D
SHA1:	799474AEAB27404D44C101393561B0C9BAED70BD
SHA-256:	C12A11E890F3AA61D532339AA79B37EF7A9B5BAE586B5063016AFB6E316466DA
SHA-512:	D75927353DF1DD3C797AE14B59D23F8A37F8C218E51D3CC042150347AB8E4C3A8C02AD50FFF0E9D3AC9A7F8D9AE3C0FF16C43EDD98153CFE3C5F702B87C4DDAE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.481568492896042
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9HfWgc8sqYjD8fm8M4J2mLzMFt2+q8vFmLzFY+opNYzTd:uITfTAOgrsqY0J7zu2KSzy5pNYzTd
MD5:	FEF898BE98C3553564C2770855DD739C
SHA1:	32FEDBF10134E4B676D72E4784B9D59A8F275569
SHA-256:	18164DF80E19CD9DFDC743A86945DE336F3C0032E3BC1B5E745021462E87002D
SHA-512:	CDB02961084B4806FA5D7A49BD825997FA86CFBBD0C3D8DE7F151854ED5D6066F3D34C98319ED71CA205C7F6B1CF58E352521119175AC79A56830D01DF0F98BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1794484" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Ou0ZT4968y.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:E:E
MD5:	3C59DC048E8850243BE8079A5C74D079
SHA1:	472B07B9FCF2C2451E8781E944BF5F77CD8457C8
SHA-256:	6F4B6612125FB3A0DAECD2799DFD6C9C299424FD920F9B308110A2C1FBD8F443
SHA-512:	198DABF4BAC21CF35CDDB48DB0F8B67C56B2BDF63767242AEA7342FE68C0B9DF8D37F3E47A134648E19F1640E158F2E527E636DB122A9143307CF309EFCB85D9
Malicious:	false
Reputation:	low
Preview:	21

FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, EncodePointer, DecodePointer, LCMapStringEx, GetLocaleInfoEx, CompareStringEx, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetFileType, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Target ID:	0
Start time:	19:54:01
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Imagebase:	0x9b0000
File size:	3838464 bytes
MD5 hash:	27B75158DCFEBA6B3419BDBB15397584
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exePID: 1236, Parent PID: 1308

General

Target ID:	1
Start time:	19:54:01
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exePID: 60, Parent PID: 1308

General

Target ID:	2
Start time:	19:54:11
Start date:	24/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0x190000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4972, Parent PID: 1308

General

Target ID:	5
Start time:	19:54:13
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Imagebase:	0xf40000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.805543225209493
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ou0ZT4968y.exe
File size:	3838464
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
SHA512:	eb9acc530d9c20dc26a00489572fe5b21075181f5f25d6598ebd5292aef5bbce9c2dc89fac04201ea7ce5c5faec545e44c02e54356ae6dfda7d2f70255a930b3
SSDEEP:	49152:YI2A2+xup+pRTSHO1c6R7heQLqPqW7SdZ8iyTgyfw91m0tfSl8TtVlkQb9Hmv3IS:FneShqwhb/lkHv3IzT
TLSH:	B006CF710A5560CAE4D025F84AFB7772A7ECCBB02BC6C7CB428316A942D35C4A5B5F8D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..AA..B..AG..B..AF..B..AC..B..C..B..PF..B..PA..B..PG..B..PG..B..P@..B.Rich.*B.................PE..L..

Entrypoint:	0x4011b8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x637FB129 [Thu Nov 24 18:00:09 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a142061eae8e8b8626d2b5b074229afd

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x100
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a41cc	0x28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x100
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a6000	0x47f4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb16a0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb15b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a4000	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ef24	0x9f000	False	0.3489721526139937	data	5.808660940243666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa0000	0x19ddc	0x19e00	False	0.3395889945652174	data	4.119191864178727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x2e9bc4	0x2e8000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3a4000	0xbdb	0xc00	False	0.3610026041666667	data	4.663842800729639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x3a5000	0x10e	0x200	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a6000	0x71bd	0x7200	False	0.4772820723684211	data	4.965115122336909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://sectigo.com/CPS0	Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://studio.youtube.comSAPISIDHASH	Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx	Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://studio.youtube.com	Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://studio.youtube.com/reauth	Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ou0ZT4968y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_c69ec5e350e75532f4a4b55ffe3a71c9ab2f95_dac8cab9_132de5cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD28.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC5.tmp.xml

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: Ou0ZT4968y.exePID: 1308, Parent PID: 3528

General

Analysis Process: conhost.exePID: 1236, Parent PID: 1308

General

Analysis Process: vbc.exePID: 60, Parent PID: 1308

General

Analysis Process: WerFault.exePID: 4972, Parent PID: 1308

Windows Analysis Report
Ou0ZT4968y.exe