Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Analysis ID:	756119
MD5:	c852376dda1de89231d5f558255775e0
SHA1:	2377355189c59e6f0d4c8792aa959425585dbc61
SHA256:	2c9d6d1a184ed20ff0667797fe4d182170716fb1b179488979bc33f79a901208
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to read the clipboard data

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe (PID: 5640 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe MD5: C852376DDA1DE89231D5F558255775E0)

WerFault.exe (PID: 5688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B5293 FindFirstFileExW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B5347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AB830 GetKeyboardState,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AACA0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AAA00 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalReAlloc,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001BA9AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001AC4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001A34E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001A8E70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: String function: 001AD900 appears 32 times

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

ReversingLabs: Detection: 17%

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --headless
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --unix
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --width
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --height
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --signal
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Command line argument: --server

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE76B.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.winEXE@2/4@0/1

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001B5A15 push ecx; ret

Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: section name: .00cfg
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Static PE information: section name: .voltbl

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

API coverage: 2.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B5293 FindFirstFileExW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B5347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AD72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B009E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B418D mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001B258B GetProcessHeap,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001AD720 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001ADC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001AD72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	Code function: 0_2_001B37DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AD945 cpuid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Code function: 0_2_001AD5D2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	17%	ReversingLabs	Win32.Trojan.Convagent
SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756119
Start date and time:	2022-11-29 16:55:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winEXE@2/4@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 78.4%) Quality average: 66.9% Quality standard deviation: 40.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_c136f9839aaccad85a66b9f733bbb3cf4c588e0_e9cd6a7e_166ff3ee\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8714732038462919
Encrypted:	false
SSDEEP:	96:QrxoFzqgLj9UhO9e77f5pXIQcQvc6QcEDMcw3Diji+HbHg/EFAeugtYsaV9w72nx:1nmHBUZMXojNPq/u7s+S274ItQ
MD5:	EB7FC93BB3263EEB66BA489D43CB51AD
SHA1:	B3A0BA916F954B0DA8AE7AC539303176757C0642
SHA-256:	520926A637841923CCE32BB1A6238FAF87C40CAA2C76269E05F42C05D47440CF
SHA-512:	96E789C2DF929CB4A656C630E7E99CCA9242930E1584EFF0EF56EDA9AE30FDBB975A9B198406866AD5A92C45274C9B087BB8CEC91A678BFABC21085094F46821
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.4.3.3.7.1.5.1.5.8.9.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.4.3.3.7.2.7.1.9.0.1.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.0.e.a.6.5.e.-.3.6.2.c.-.4.6.b.3.-.b.3.6.9.-.3.3.c.c.1.4.1.d.9.6.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.e.4.9.b.a.4.-.c.5.9.b.-.4.8.b.8.-.8.6.b.e.-.9.d.8.4.f.f.7.5.9.7.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...P.W.S.X.-.g.e.n...1.6.1.8.8...7.0.9.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.0.8.-.0.0.0.1.-.0.0.1.a.-.0.3.9.2.-.d.d.8.8.5.6.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.0.a.9.7.e.b.e.a.e.1.0.7.0.8.9.f.8.7.4.8.f.e.7.8.a.7.a.a.a.3.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.3.7.7.3.5.5.1.8.9.c.5.9.e.6.f.0.d.4.c.8.7.9.2.a.a.9.5.9.4.2.5.5.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE76B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Nov 30 00:56:12 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	40616
Entropy (8bit):	2.003000119461151
Encrypted:	false
SSDEEP:	192:ghhUkWXpDiOcgjV+T71PyznTM89xyc62DujPpIYtn:+6hcY+T7ZyzTN92PSCn
MD5:	3BCFE29C334432700B094F1FC88DD0F6
SHA1:	F9E2D5799A2FB03010AA8C16F46FEBF8F3C27E35
SHA-256:	3CCC35DB1139D794A77C61519F9A8BA09A7E97D3E054B8EE70BB1C089D482F7B
SHA-512:	71D099A9DAAA3DC006D4C225FF1DB28D99CD91A4F188CEAE81382F0644DBCAD0D0A4DE3C41AF371E566CF5D82B8908C7E53C83C24954387A6CCEBE7F816D40E3
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......,..c.........................................&..........T.......8...........T........................... ................................................................................U...........B..............GenuineIntelW...........T...........)..c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA98.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.6979070914958747
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiFI6hXx5dv6YqASUMegmfIS0Cpr+89bx9UsfXzlm:RrlsNiq6hXx5dv6YNSUMegmfISbx9Hf0
MD5:	9A0987CA0C23DC8894104FD280D1C9CB
SHA1:	86A49E082370B17C4C9386B5008FB580BA8A221F
SHA-256:	4F9BF8E8B553A8DF0B80CBABBEB310193F14D9078FE513BC294342397ECC9F8A
SHA-512:	346E611884A82B1D470D45296F60A9BB7AE881CAE125D542E974A994B3CBB237CC79B3A5FAE9C54F36E2BADD51DF57EBBA60367B4394F962A84C72582437516B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB55.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4787
Entropy (8bit):	4.559141635088195
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtWI9f3Wgc8sqYji8fm8M4JEwTZWaFlB+q81LG/tiE3P9zWz/d:uITffwGgrsqYLJTB/nZ0/d
MD5:	955A54B626D1F0F1007DAAB9D2C55C57
SHA1:	9E2662E1C47A4A13C8D82BCB94D0395F91FEB409
SHA-256:	CDBCCAAC3A30A680FE826E60D0A549404F4161ECC925EEC1A1462371F4602A86
SHA-512:	AEF3C0DCBED91B7CEFE5ADF0B78FB7CC5075D9032BA452C27936693A929CA8D28B47F614A73D0CDFA6F71B41C246D94A9C95658FD5D87BCC6942ECBA7F616B36
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1802046" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.182857922109804
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
File size:	147968
MD5:	c852376dda1de89231d5f558255775e0
SHA1:	2377355189c59e6f0d4c8792aa959425585dbc61
SHA256:	2c9d6d1a184ed20ff0667797fe4d182170716fb1b179488979bc33f79a901208
SHA512:	35734b4b784630927e4da3cd2ffa69e664bdd0cedce1bfe7e8bc6f0c35b0f06174c05f553c4dd84b4843d257bc46892a9226ff6f719ff6fdcb06dd23fff8bb80
SSDEEP:	3072:8OPPLcLPR2kaQ+nYwZbBPUxRC/akBYcgVg7JkWmjwaY4YFOnJKwy:8iLcLPRi/xB8gFLm8oJKd
TLSH:	41E33B11B0C2C0B7C76724B301E796FB3A39B7219B615DDF5B580E686B395E0A630A37
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c............................,.............@.......................................@........................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40d32c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385E3E9 [Tue Nov 29 10:50:17 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8644442967ce2e1b40266fb36e00cd91

Entrypoint Preview

Instruction
call 00007F6A10CB93DBh
jmp 00007F6A10CB8FFFh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F6A10CB918Fh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [00425A60h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007F6A10CB9189h
call 00007F6A10CBC612h
jmp 00007F6A10CB918Dh
push 00425A60h
call 00007F6A10CBC595h
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 00422EA8h
call 00007F6A10CB9701h
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007F6A10CB91DFh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F6A10CB91CEh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F6A10CB91C0h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007F6A10CB9302h
pop ecx
pop ecx
test eax, eax
je 00007F6A10CB91A9h
cmp dword ptr [eax+24h], 00000000h
jl 00007F6A10CB91A3h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007F6A10CB91A1h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21788	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x14c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c560	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21c1c	0x37c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1a0d0	0x1a200	False	0.4765998803827751	data	6.254058720378555	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x7424	0x7600	False	0.4095272775423729	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4309148	4.9666568554916495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x24000	0x258c	0xa00	False	0.16171875	data	2.098226797581286	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x27000	0x8	0x200	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.voltbl	0x28000	0x22	0x200	False	0.091796875	data	0.6504699138522845
.rsrc	0x29000	0x1a8	0x200	False	0.486328125	data	4.183569951400347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0x14c4	0x1600	False	0.7718394886363636	data	6.426785687436811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x29060	0x143	XML 1.0 document, ASCII text	English	United States

Imports

DLL	Import
SHLWAPI.dll	GetMenuPosFromID, PathRemoveExtensionA, SHRegQueryUSValueW, StrRChrW, UrlEscapeA
ole32.dll	CreateClassMoniker, EnableHookObject, HMETAFILE_UserUnmarshal, OleInitialize, StgCreateStorageEx, WriteStringStream
MSWSOCK.dll	GetTypeByNameW, TransmitFile, getnetbyname
WINMM.dll	joyGetNumDevs, midiStreamPosition, midiStreamRestart, mixerClose, mixerGetLineControlsW
pdh.dll	PdhConnectMachineA, PdhGetDefaultPerfCounterA, PdhRemoveCounter, PdhVbGetCounterPathElements, PdhVbGetOneCounterPath, PdhVbOpenQuery
OLEAUT32.dll	OleLoadPictureEx, VARIANT_UserMarshal, VarDateFromCy, VarR8Pow, VarUI2FromDate
CRYPT32.dll	CertDuplicateStore, CertFindRDNAttr, CertFreeCertificateContext, CryptMsgCountersign
RPCRT4.dll	NdrByteCountPointerBufferSize, NdrClientInitializeNew, NdrUserMarshalUnmarshall, RpcBindingInqAuthInfoW, RpcBindingSetOption, RpcMgmtEnableIdleCleanup, RpcMgmtInqComTimeout
KERNEL32.dll	CloseHandle, CreateEventW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemCodePagesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GlobalAlloc, GlobalLock, GlobalReAlloc, GlobalSize, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MulDiv, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, WaitForMultipleObjects, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrcmpW, lstrcpyW, lstrlenW
USER32.dll	AdjustWindowRect, BeginPaint, CharLowerBuffW, CharUpperBuffW, ClientToScreen, CloseClipboard, CreateCaret, CreateMenu, CreatePopupMenu, CreateWindowExW, DefWindowProcW, DestroyCaret, DispatchMessageW, EmptyClipboard, EnableMenuItem, EndPaint, FillRect, GetCapture, GetClientRect, GetClipboardData, GetDC, GetDlgItem, GetDpiForSystem, GetFocus, GetKeyboardState, GetParent, GetSystemMenu, GetSystemMetrics, GetWindowLongW, HideCaret, InsertMenuW, InvalidateRect, InvertRect, IsClipboardFormatAvailable, IsWindowVisible, LoadCursorW, LoadIconW, LoadStringW, MapVirtualKeyW, MsgWaitForMultipleObjects, OpenClipboard, PeekMessageW, PostMessageW, PostQuitMessage, RegisterClassW, ReleaseCapture, ReleaseDC, ScrollWindow, SetCapture, SetCaretPos, SetClipboardData, SetRect, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPos, SetWindowTextW, ShowCaret, ShowScrollBar, ShowWindow, SystemParametersInfoW, ToUnicode, TrackPopupMenu, UpdateWindow, VkKeyScanW, wsprintfW
GDI32.dll	BitBlt, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateFontIndirectW, CreateSolidBrush, DeleteObject, EnumFontFamiliesExW, GetStockObject, GetTextFaceW, GetTextMetricsW, LineTo, MoveToEx, SelectObject, SetBkColor, SetTextColor, TextOutW, TranslateCharsetInfo
COMCTL32.dll
ADVAPI32.dll	RegCloseKey, RegCreateKeyW, RegSetValueExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	16:56:09
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Imagebase:	0x1a0000
File size:	147968 bytes
MD5 hash:	C852376DDA1DE89231D5F558255775E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exePID: 5688, Parent PID: 5640

General

Target ID:	2
Start time:	16:56:10
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464
Imagebase:	0x2b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_c136f9839aaccad85a66b9f733bbb3cf4c588e0_e9cd6a7e_166ff3ee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE76B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA98.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB55.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exePID: 5640, Parent PID: 3452

General

Analysis Process: WerFault.exePID: 5688, Parent PID: 5640

General

Disassembly

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe