Edit tour

Windows Analysis Report
wcfForestCo.exe

Overview

General Information

Sample Name:	wcfForestCo.exe
Analysis ID:	800715
MD5:	f938aa196e23b9094027f158bf80798e
SHA1:	facb5b573302f9c34964a481bb8457643347f1ce
SHA256:	2648c1a9757baa37580a9c4ca8f6975105d09bd2ecc5c14ada62f5eaea154fd3
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Generic Downloader

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Creates or modifies windows services

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

wcfForestCo.exe (PID: 2816 cmdline: C:\Users\user\Desktop\wcfForestCo.exe MD5: F938AA196E23B9094027F158BF80798E)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wcfForestCo.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.wcfForestCo.exe.ef0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: wcfForestCo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wcfForestCo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: wcfForestCo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wcfForestCo.exe.ef0000.0.unpack, type: UNPACKEDPE

Source: wcfForestCo.exe	String found in binary or memory: http://checkip.amazonaws.com/)https://ipinfo.io/ip
Source: wcfForestCo.exe	String found in binary or memory: https://api.ipify.org
Source: wcfForestCo.exe	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy

Source: wcfForestCo.exe, 00000000.00000002.315547881.0000000001619000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: wcfForestCo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wcfForestCo.exe, 00000000.00000002.315547881.0000000001619000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs wcfForestCo.exe

Source: C:\Users\user\Desktop\wcfForestCo.exe	Code function: 0_2_030675D8		0_2_030675D8
Source: C:\Users\user\Desktop\wcfForestCo.exe	Code function: 0_2_030675E8		0_2_030675E8

Source: C:\Users\user\Desktop\wcfForestCo.exe

File read: C:\Users\user\Desktop\wcfForestCo.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe	Code function: 0_2_03061250 StartServiceCtrlDispatcherW,	0_2_03061250
Source: C:\Users\user\Desktop\wcfForestCo.exe	Code function: 0_2_03061390 StartServiceCtrlDispatcherW,	0_2_03061390
Source: C:\Users\user\Desktop\wcfForestCo.exe	Code function: 0_2_03061398 StartServiceCtrlDispatcherW,	0_2_03061398

Source: wcfForestCo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wcfForestCo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wcfForestCo.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\wcfForestCo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Code function: 0_2_03061250 StartServiceCtrlDispatcherW,

0_2_03061250

Source: unknown	Process created: C:\Users\user\Desktop\wcfForestCo.exe C:\Users\user\Desktop\wcfForestCo.exe
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_01
Source: C:\Users\user\Desktop\wcfForestCo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\wcfForestCo.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcfForestCo.exe.log

Jump to behavior

Source: classification engine

Classification label: sus24.troj.winEXE@2/1@0/0

Source: wcfForestCo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wcfForestCo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wcfForestCo.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Code function: 0_2_03061250 StartServiceCtrlDispatcherW,

0_2_03061250

Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe TID: 3140

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe	Queries volume information: C:\Users\user\Desktop\wcfForestCo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wcfForestCo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wcfForestCo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Service Execution	12 Windows Service	12 Windows Service	1 Masquerading	1 Input Capture	21 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wcfForestCo.exe	4%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	wcfForestCo.exe	false		high
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	wcfForestCo.exe	false	Avira URL Cloud: safe	unknown
http://checkip.amazonaws.com/)https://ipinfo.io/ip	wcfForestCo.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800715
Start date and time:	2023-02-07 18:34:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	wcfForestCo.exe
Detection:	SUS
Classification:	sus24.troj.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcfForestCo.exe.log

Download File

Process:	C:\Users\user\Desktop\wcfForestCo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1127
Entropy (8bit):	5.353994890074522
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7Q8mE4jE4Kx1qE4j:MxHKXwYHKhQnoPtHoxHhAHKzvQ8mHjH5
MD5:	A0DF45763304E0A0715AE227CC910664
SHA1:	A05B64DCF34FB2D7B01EDA5D60CE9C1E315D8499
SHA-256:	421DD6A0063E67257CB99E12D47B75241F6EC344C001D7D9EC11097F1F024C0D
SHA-512:	E5F7628D91DD689962A29063A689B1293A653E64FAA24465C3CEFB67BE5E8B63AD1585183C4AF43623EA69974BF11FEA5F07387FB2DEB94CDCE066EFC3DDF899
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.931110271623046
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	wcfForestCo.exe
File size:	140288
MD5:	f938aa196e23b9094027f158bf80798e
SHA1:	facb5b573302f9c34964a481bb8457643347f1ce
SHA256:	2648c1a9757baa37580a9c4ca8f6975105d09bd2ecc5c14ada62f5eaea154fd3
SHA512:	86efdf59d062add31d4c0fb4ef35b1f27ce84a969fe0c2a8a0e9258377e297b78b80333c6ab02f314b80f5a86d1022593632044fa0876670388be07bd8152301
SSDEEP:	3072:WBfluqwu1J/k5JHPHsk0ayk0p2TKDHPHsk0ayk0p2nHPHsk0ayk0p2V:WNlurfPHsk0ayk0pa2PHsk0ayk0piPHK
TLSH:	08D32F5273EA0658F2FA6A7A4AB345758773B545247ECA1E25CCA01A0FF3B018911FF3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zr.c.............................7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x42379e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63E2727A [Tue Feb 7 15:47:06 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23748	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x648	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x217a4	0x21800	False	0.2474638526119403	data	4.962971152767575	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x648	0x800	False	0.3505859375	data	3.5858750671922213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x240a0	0x3b4	data
RT_MANIFEST	0x24458	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wcfForestCo.exePID: 2816, Parent PID: 3324

General

Target ID:	0
Start time:	18:35:53
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\wcfForestCo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wcfForestCo.exe
Imagebase:	0xef0000
File size:	140288 bytes
MD5 hash:	F938AA196E23B9094027F158BF80798E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4360, Parent PID: 2816

General

Target ID:	1
Start time:	18:35:53
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: wcfForestCo.exePID: 2816, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	3

Executed Functions

Function 03061250 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e847ecef8af0cf2fea6b50a12ce018ec3a0792fa481ac7cda6af8d5d000d2913
Instruction ID: 741e4b86f7eb08b65812fd5c0cbe823557ad45f0ca8d852a5ba63b4589a04dd4
Opcode Fuzzy Hash: e847ecef8af0cf2fea6b50a12ce018ec3a0792fa481ac7cda6af8d5d000d2913
Instruction Fuzzy Hash: C051EE719017448FCBA4CF2AD4407AEBFF1FF85714F04886EC08A9BA65DB75A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03061390 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 030613F7

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 9d3c3f254c1b19a0399e08555f61128e097c96d17c6d3aeaf46ca559438508b5
Instruction ID: d1c1d3d7f2e306c4651f75635b474ab428db382b4c8a36804913921739a41a7c
Opcode Fuzzy Hash: 9d3c3f254c1b19a0399e08555f61128e097c96d17c6d3aeaf46ca559438508b5
Instruction Fuzzy Hash: 4F1146B1C002598FCB10CF9AD544BEEBFF4EF48320F24846AD558A7240D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03061398 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 030613F7

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: e9068ccef0a0e9dd04c0d9aff7cda34cc89dd874abb155a48ea0c507a5c0b398
Instruction ID: 9faae78b84f8183a42431f072532f299bd29ee8c8eb26292808aa19e5c7ee9ac
Opcode Fuzzy Hash: e9068ccef0a0e9dd04c0d9aff7cda34cc89dd874abb155a48ea0c507a5c0b398
Instruction Fuzzy Hash: 981125B18002098FCB10DF9AD544BEEFBF4EF48320F24842AD519A7640D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030656BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030666DE,?,?,?,?,?), ref: 0306679F

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62baace1d05ea57cc50070988731df42ccb50ada4ca2392bc55fb23027d90379
Instruction ID: 117b00e0bf0f5952a3699bc496efb439ef9fb8206383e891af6694fc91b3f4af
Opcode Fuzzy Hash: 62baace1d05ea57cc50070988731df42ccb50ada4ca2392bc55fb23027d90379
Instruction Fuzzy Hash: A321E3B590120CAFDB10CFAAD584AEEFBF4EB48320F14841AE915B7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03068400 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,030683E8,04266264,?), ref: 03068479

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 147eaf533b4416241fb038d141384ec3125aae6b6cf50e388145bc421a18a2df
Instruction ID: 1c12ab6520e08509fd0dcb5b60eab2df7228cbcb5fab1bca6a74e5bda167b2e1
Opcode Fuzzy Hash: 147eaf533b4416241fb038d141384ec3125aae6b6cf50e388145bc421a18a2df
Instruction Fuzzy Hash: E42129B19002099FDB10CF9AC944BEEFBF5FB48320F14842AD454A7750D778A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03066FD4 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,030683E8,04266264,?), ref: 03068479

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: fdf044b55c0baae68035dca80c587a2fc001fcdc8be306c2da9eb4ae63bbc235
Instruction ID: 2047564f1235d36bc17bdf9d1b1ff6eb4f3fbf1725b2ca2fdf9182b0073f94a4
Opcode Fuzzy Hash: fdf044b55c0baae68035dca80c587a2fc001fcdc8be306c2da9eb4ae63bbc235
Instruction Fuzzy Hash: 332147B1900209CFDB10CF9AC944BEEFBF4EB88320F14842AE414A3250D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03066711 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030666DE,?,?,?,?,?), ref: 0306679F

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79ab6e73d845f40b5d717b31a55d6b0dde60666cc9c2e2e833ba524ccd11152d
Instruction ID: 678a9c63ef6dbbe73a11fe187b33f17c6558642ef6e55fc8ee39d75dbe1a3510
Opcode Fuzzy Hash: 79ab6e73d845f40b5d717b31a55d6b0dde60666cc9c2e2e833ba524ccd11152d
Instruction Fuzzy Hash: E821B0B5D112199FDB10CFAAD584AEEBBF4FB48320F14841AE918A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03068790 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,0306591D,?,?,?), ref: 03068815

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: c7738866a0a14e7addae76278ba295dd5eb6c5b981fce2fd3d23cba16aca9bdc
Instruction ID: 72d8d28089398459d923a1af12b17a93c1e5fa1c0e072dc2eef4fe4d8fa775c7
Opcode Fuzzy Hash: c7738866a0a14e7addae76278ba295dd5eb6c5b981fce2fd3d23cba16aca9bdc
Instruction Fuzzy Hash: B62102B6C013599FCB10CF9AD988ADEFBF4FB48310F14852EE818A7604D374A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03065644 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,0306591D,?,?,?), ref: 03068815

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: dc219db2078b1e7f18d7429508db817d615ae81363a90f015e32cb6da62fc627
Instruction ID: 515f4f566ad0eb2004ad1ac1505331b13e89442cb3fcaef8d57f16b3c10f5c85
Opcode Fuzzy Hash: dc219db2078b1e7f18d7429508db817d615ae81363a90f015e32cb6da62fc627
Instruction Fuzzy Hash: 1521D3B59013199FCB10CF9AD988ADEFBF4FB48310F14856EE819B7604D374A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD278 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315271548.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969436c4c5eccafe6d2fabbfbc3c9989c18fad0abe0ea55013cbece83fb957c0
Instruction ID: 8e6a9fda7967d1394f2c2f3423fe311464e79d3dea6d90c6b3f242c5d0674d25
Opcode Fuzzy Hash: 969436c4c5eccafe6d2fabbfbc3c9989c18fad0abe0ea55013cbece83fb957c0
Instruction Fuzzy Hash: D2210879904240DFDB55CF94D9C0B2BBF65FB84724F24C57ED8050A266C336D416CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD540 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315271548.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a013d73e7341ddf3d05ff1dc6f97482c49af64fbe169e7ef67e2cde14b771e9
Instruction ID: 12b408a34022cbcee125ddc1adb029243704e090931fd0492a95ced0a39338d5
Opcode Fuzzy Hash: 7a013d73e7341ddf3d05ff1dc6f97482c49af64fbe169e7ef67e2cde14b771e9
Instruction Fuzzy Hash: 73210279904240DFDB55DF48C9C0B27BF61EB98714F24857ED8090B256C336D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD273 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315271548.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119e16563eb2f3823becda3d78e5a835c6f3967ad9cf4505c5a24e744d6fc5ec
Instruction ID: 70e0c672d72e15f25e88c10a8540a465b11cd371cf41956af9d2fa41dd6f0fd0
Opcode Fuzzy Hash: 119e16563eb2f3823becda3d78e5a835c6f3967ad9cf4505c5a24e744d6fc5ec
Instruction Fuzzy Hash: A921C076804240CFCB02CF44D9C4B16BF71FB84310F24C2AAD8040A666C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD53B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315271548.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
Instruction ID: 3ac3498753453485fba622a1709ce1b318ca47f7ef2ad4fb7c504f8e9b55fac4
Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
Instruction Fuzzy Hash: 8111AF7A904280CFDB16CF54D5C4B16BF61FB88724F2886AED8094B666C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 030675E8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009350cc1fa26d967b75869612e9a091cd867c44d98989e3afd817876859c0f4
Instruction ID: b0b08c8242e2958fac8368e1380c6b887a13abb798c482803627913c7d17ccbe
Opcode Fuzzy Hash: 009350cc1fa26d967b75869612e9a091cd867c44d98989e3afd817876859c0f4
Instruction Fuzzy Hash: 1A120AB0C2A709CBD720CFA5E44A1843FA2B745334F566B08F9619B6D1DFB9118ACF64

Uniqueness

Uniqueness Score: -1.00%

Function 030675D8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.315973661.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_wcfForestCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded0569c2ca1d9459c6e24239cfbdd9ea96f14d57f293b850a183375032d8bb2
Instruction ID: c436909d5457a140fef05b3b72c925f152886c4fe9fbbc2991fb9b53f3421e28
Opcode Fuzzy Hash: ded0569c2ca1d9459c6e24239cfbdd9ea96f14d57f293b850a183375032d8bb2
Instruction Fuzzy Hash: E5C11CB0C2A7098BD710CFA5E84A1893FB2BB45334F156B08F561AB6D0DFB91486CF64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wcfForestCo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcfForestCo.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wcfForestCo.exePID: 2816, Parent PID: 3324

General

Chronological Activities

Analysis Process: conhost.exePID: 4360, Parent PID: 2816

General

Chronological Activities

Windows Analysis Report
wcfForestCo.exe

Function 03061250 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 03061390 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 03061398 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 030656BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 03068400 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 03066FD4 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 03066711 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 03068790 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Function 03065644 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON