Edit tour
Windows
Analysis Report
UxaZyTE7nq.exe
Overview
General Information
| Sample Name: | UxaZyTE7nq.exe |
| Original Sample Name: | 91a442b21fb353b221ea33e767c7fe1b.exe |
| Analysis ID: | 816262 |
| MD5: | 91a442b21fb353b221ea33e767c7fe1b |
| SHA1: | e58e0d08ebdc5e91f43631b339c573a732c07056 |
| SHA256: | 35330f1bbbc0f361845b9b987e2f4ac70cdb96ab3f9e80161c2b8971c7df0df4 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
AsyncRAT, DcRat, VenomRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected DcRat
Yara detected VenomRAT
Yara detected AsyncRAT
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Contains functionality to load drivers
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Enables driver privileges
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Binary contains a suspicious time stamp
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
UxaZyTE7nq.exe (PID: 5248 cmdline: C:\Users\u ser\Deskto p\UxaZyTE7 nq.exe MD5: 91A442B21FB353B221EA33E767C7FE1B) 
MSBuild.exe (PID: 3164 cmdline: C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\MS Build.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74) - aspnet_regsql.exe (PID: 4860 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_regsq l.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F) - AddInProcess.exe (PID: 1792 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452) - EdmGen.exe (PID: 4856 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ed mGen.exe MD5: 2B6A31DFD7C9ED8B413DBDAB800F10F3) - RegAsm.exe (PID: 4916 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3) - Microsoft.Workflow.Compiler.exe (PID: 3232 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Mi crosoft.Wo rkflow.Com piler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4) - SMSvcHost.exe (PID: 5564 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\SM SvcHost.ex e MD5: 7EC8B56348F9298BCCA7A745C7F70E2C) - ngen.exe (PID: 1368 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ng en.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A) - aspnet_regbrowsers.exe (PID: 784 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_regbr owsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834) - AddInUtil.exe (PID: 4504 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInUtil.ex e MD5: 65D30D747EB31E108A36EBC966C1227D) - mscorsvw.exe (PID: 4840 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F) - cvtres.exe (PID: 3440 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - ServiceModelReg.exe (PID: 5388 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Se rviceModel Reg.exe MD5: 80B018258257C2F78CBFE08198883AC1) - jsc.exe (PID: 4532 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\js c.exe MD5: 2B40A449D6034F41771A460DADD53A60)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": "127.0.0.1,91.134.187.20", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.1", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "fLhIsNqVZyP3FtIfE3paid39lvLLS0GF", "Mutex": "mhtuxtjimxsu", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "kFvNmgZ/O5v1sx/qrRRjCJ65ULSYW0YUs6D8HUtcZiIPmdxxX1FnuqnG7Hqf58PvDX3GI/brbGZ53PRUq5Q2RpiVxj+vfAPMR0vYli5u3fC8P3PEfV6q8ByxVzA/JPq19BNQyRc/ggnXxDaQb3mMnaO7P9LiftEDaJle8Xfr3Kk=", "BDOS": "null", "External_config_on_Pastebin": "false"}{"Server": "127.0.0.1,91.134.187.20", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.1", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "fLhIsNqVZyP3FtIfE3paid39lvLLS0GF", "Mutex": "mhtuxtjimxsu", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "kFvNmgZ/O5v1sx/qrRRjCJ65ULSYW0YUs6D8HUtcZiIPmdxxX1FnuqnG7Hqf58PvDX3GI/brbGZ53PRUq5Q2RpiVxj+vfAPMR0vYli5u3fC8P3PEfV6q8ByxVzA/JPq19BNQyRc/ggnXxDaQb3mMnaO7P9LiftEDaJle8Xfr3Kk=", "BDOS": "null"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
| Click to see the 8 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 91.134.187.20192.168.2.64449497182850454 02/27/23-19:11:47.671813 |
| SID: | 2850454 |
| Source Port: | 4449 |
| Destination Port: | 49718 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00007FFCA44924AD | |
| Source: | Code function: | 0_2_00007FFCA4494308 | |
| Source: | Code function: | 0_2_00007FFCA4494300 | |
| Source: | Code function: | 0_2_00007FFCA44A5BC9 | |
| Source: | Code function: | 0_2_00007FFCA449BC59 | |
| Source: | Code function: | 0_2_00007FFCA4496858 | |
| Source: | Code function: | 0_2_00007FFCA4499010 | |
| Source: | Code function: | 14_2_0150DB08 | |
| Source: | Code function: | 14_2_01501EF0 | |
| Source: | Code function: | 14_2_01502668 | |
| Source: | Code function: | 14_2_0150D9B0 | |
| Source: | Code function: | 14_2_01501EE2 | |
| Source: | Code function: | 14_2_0586E328 | |
| Source: | Code function: | 14_2_0586EBF8 | |
| Source: | Code function: | 14_2_05866E00 | |
| Source: | Code function: | 14_2_0586DFE0 | |
| Source: | Code function: | 0_2_00007FFCA44A9254 | |
| Source: | Code function: | 0_2_00007FFCA44902F8 | |
| Source: | Code function: | 0_2_00007FFCA44902E8 | |
| Source: | Code function: | 14_2_01502AC0 | |
| Source: | Code function: | 14_2_01502668 | |
| Source: | Code function: | 0_2_00007FFCA44A9254 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Driver loaded: | Jump to behavior | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FFCA44A8655 | |
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FFCA44A61DA | |
| Source: | Code function: | 0_2_00007FFCA449EE1E | |
| Source: | Code function: | 0_2_00007FFCA449EE31 | |
| Source: | Code function: | 0_2_00007FFCA449CBD4 | |
| Source: | Code function: | 14_2_01501C7A | |
| Source: | Code function: | 14_2_05862492 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Registry key created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Registry key enumerated: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 131 Windows Management Instrumentation | 2 Windows Service | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 241 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 12 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 2 Scheduled Task/Job | 2 Scheduled Task/Job | 2 Windows Service | 1 Disable or Modify Tools | LSASS Memory | 12 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | 2 LSASS Driver | 212 Process Injection | 141 Virtualization/Sandbox Evasion | Security Account Manager | 141 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | 2 Scheduled Task/Job | 1 Access Token Manipulation | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | 2 LSASS Driver | 212 Process Injection | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 22 Obfuscated Files or Information | Cached Domain Credentials | 34 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 2 Software Packing | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Timestomp | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 21% | ReversingLabs | Win64.Trojan.Generic | ||
| 23% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse | ||
| 0% | ReversingLabs |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1202836 | Download File |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| l-0007.l-dc-msedge.net | 13.107.43.16 | true | false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 91.134.187.20 | unknown | France | 16276 | OVHFR | true |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 816262 |
| Start date and time: | 2023-02-27 19:10:25 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 27 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | UxaZyTE7nq.exe |
| Original Sample Name: | 91a442b21fb353b221ea33e767c7fe1b.exe |
| Detection: | MAL |
| Classification: | mal100.troj.expl.evad.winEXE@29/5@0/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.35.236.109, 173.222.108.210, 173.222.108.226, 20.90.152.133, 184.28.57.26, 40.126.32.74, 20.190.160.22, 40.126.32.133, 20.190.160.20, 40.126.32.140, 40.126.32.68, 20.190.160.14, 40.126.32.136, 23.0.174.120, 23.0.174.122, 23.0.174.136, 23.0.174.121, 23.0.174.130, 23.0.174.123, 23.0.174.137, 23.0.174.129, 23.0.174.138, 13.107.5.88, 20.90.153.243, 20.90.156.32
- Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, cdn.onenote.net.edgekey.net, wns.notify.trafficmanager.net, prda.aadg.msidentity.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, config.edge.skype.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, wu-bg-shim.trafficmanager.net, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, l-0007.config.skype.com, e1553.dspg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 19:11:48 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| l-0007.l-dc-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Fabookie | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| OVHFR | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT | Browse |
| ||
| Get hash | malicious | Xmrig, ccminer | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Laplas Clipper | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Xmrig, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\?????.sys | Get hash | malicious | Vector Stealer | Browse | ||
| Get hash | malicious | AsyncRAT, DcRat, VenomRAT | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | XWorm | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AsyncRAT | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Vector Stealer | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | lgoogLoader | Browse | |||
| Get hash | malicious | lgoogLoader | Browse | |||
| Get hash | malicious | lgoogLoader | Browse | |||
| Get hash | malicious | lgoogLoader | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Unknown | Browse |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 
Download File
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62932 |
| Entropy (8bit): | 7.9958071285043335 |
| Encrypted: | true |
| SSDEEP: | 1536:pvl2gmukMiArbge/oKIxf+Q9yNJLaRCfIElhUuDz:pvl2gmZhpehIxfJsJLawfIElhUu3 |
| MD5: | FC4666CBCA561E864E7FDF883A9E6661 |
| SHA1: | 2F8D6094C7A34BF12EA0BBF0D51EE9C5BB7939A5 |
| SHA-256: | 10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B |
| SHA-512: | C71F54B571E01F247F072BE4BBEBDF5D8410B67EB79A61E7E0D9853FE857AB9BD12F53E6AF3394B935560178107291FC4BE351B27DEB388EBA90BA949633D57D |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.1615723839320826 |
| Encrypted: | false |
| SSDEEP: | 6:kKM0qz7ksN+SkQlPlEGYRMY9z+4KlDA3RUe+OGNglcy:k+kPlE99SNxAhUefblcy |
| MD5: | C878E1166FCB2708482602C39E162BBA |
| SHA1: | 884E515CBE4BFA12F511D978A6D785CAD4CAFA82 |
| SHA-256: | FF266CFA40017CF79B191B137229C3724982F9DA2F3D442F70693FFBE033A084 |
| SHA-512: | 6728CE5910D39EC81CE2F83718343C779CF0B7BD0D119BA65D1477DBA5AD046AD54B5C7BC59D11C400DD2F4F9C347B73B6727546C90C63C59D6D9B6DEBF13A1D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\UxaZyTE7nq.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 654 |
| Entropy (8bit): | 5.374391981354885 |
| Encrypted: | false |
| SSDEEP: | 12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT |
| MD5: | C8A62E39DE7A3F805D39384E8BABB1E0 |
| SHA1: | B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31 |
| SHA-256: | A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383 |
| SHA-512: | 7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3 |
| Malicious: | true |
| Preview: |
| Process: | C:\Users\user\Desktop\UxaZyTE7nq.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 36208 |
| Entropy (8bit): | 6.284053631838433 |
| Encrypted: | false |
| SSDEEP: | 768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4 |
| MD5: | 97E3A44EC4AE58C8CC38EEFC613E950E |
| SHA1: | BC47E15537FA7C32DFEFD23168D7E1741F8477ED |
| SHA-256: | 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C |
| SHA-512: | 8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8 |
| Entropy (8bit): | 2.75 |
| Encrypted: | false |
| SSDEEP: | 3:Rt:v |
| MD5: | CF759E4C5F14FE3EEC41B87ED756CEA8 |
| SHA1: | C27C796BB3C2FAC929359563676F4BA1FFADA1F5 |
| SHA-256: | C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761 |
| SHA-512: | C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.978944604782391 |
| TrID: |
|
| File name: | UxaZyTE7nq.exe |
| File size: | 363008 |
| MD5: | 91a442b21fb353b221ea33e767c7fe1b |
| SHA1: | e58e0d08ebdc5e91f43631b339c573a732c07056 |
| SHA256: | 35330f1bbbc0f361845b9b987e2f4ac70cdb96ab3f9e80161c2b8971c7df0df4 |
| SHA512: | 262ef3d9577dacde7ad613fe858073b347d21a553961c63f6f64c9dd593fc610dc2bb04ab84b6cf2a4c9347e3795d825690bdb412d19e89fe380da5bd4009f58 |
| SSDEEP: | 6144:ozh88dY9m16JNcxnDggHNrRP5fw2fTt+iMaNOSm3lVVCT4kH/7zppTR:o18fCcaxdPhHTANaYSIlHCT4k/9 |
| TLSH: | 3D74129093DC9C57FF5C1679C8AC11172A789EBBD7A796CF2EA844CC66EA3000472573 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....IA..........."...0.................. ....@...... ....................................`................................ |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x400000 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0xDF4149F2 [Thu Sep 9 19:52:18 2088 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: |
| Instruction |
|---|
| dec ebp |
| pop edx |
| nop |
| add byte ptr [ebx], al |
| add byte ptr [eax], al |
| add byte ptr [eax+eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5c000 | 0x60 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5a468 | 0x38 | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2000 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0x58514 | 0x58600 | False | 0.9499453014497878 | data | 7.981513997954339 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x5c000 | 0x60 | 0x200 | False | 0.125 | data | 3.1757517953526886 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_GROUP_ICON | 0x5c058 | 0x6 | data |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 91.134.187.20192.168.2.64449497182850454 02/27/23-19:11:47.671813 | TCP | 2850454 | ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 27, 2023 19:11:46.553606033 CET | 49672 | 443 | 192.168.2.6 | 40.90.65.8 |
| Feb 27, 2023 19:11:47.573369026 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:47.600991011 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:11:47.601259947 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:47.635396004 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:47.671813011 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:11:47.679271936 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:47.708478928 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:11:47.756535053 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:50.830960989 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:50.904359102 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:11:50.904592991 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:11:50.982225895 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:03.165569067 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.248050928 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:03.248159885 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.277838945 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:03.320290089 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.347985983 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:03.398428917 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.510010004 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.592195034 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:03.592434883 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:03.680654049 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:04.232732058 CET | 49693 | 80 | 192.168.2.6 | 93.184.220.29 |
| Feb 27, 2023 19:12:06.153676987 CET | 80 | 49707 | 209.197.3.8 | 192.168.2.6 |
| Feb 27, 2023 19:12:06.153904915 CET | 49707 | 80 | 192.168.2.6 | 209.197.3.8 |
| Feb 27, 2023 19:12:08.657963991 CET | 49704 | 80 | 192.168.2.6 | 8.241.126.249 |
| Feb 27, 2023 19:12:08.658171892 CET | 49707 | 80 | 192.168.2.6 | 209.197.3.8 |
| Feb 27, 2023 19:12:08.674978018 CET | 80 | 49707 | 209.197.3.8 | 192.168.2.6 |
| Feb 27, 2023 19:12:08.675625086 CET | 49707 | 80 | 192.168.2.6 | 209.197.3.8 |
| Feb 27, 2023 19:12:08.677985907 CET | 80 | 49704 | 8.241.126.249 | 192.168.2.6 |
| Feb 27, 2023 19:12:08.678109884 CET | 49704 | 80 | 192.168.2.6 | 8.241.126.249 |
| Feb 27, 2023 19:12:09.339575052 CET | 80 | 49709 | 93.184.220.29 | 192.168.2.6 |
| Feb 27, 2023 19:12:09.341197968 CET | 49709 | 80 | 192.168.2.6 | 93.184.220.29 |
| Feb 27, 2023 19:12:12.360469103 CET | 49729 | 443 | 192.168.2.6 | 13.107.43.16 |
| Feb 27, 2023 19:12:12.360563993 CET | 443 | 49729 | 13.107.43.16 | 192.168.2.6 |
| Feb 27, 2023 19:12:12.360718966 CET | 49729 | 443 | 192.168.2.6 | 13.107.43.16 |
| Feb 27, 2023 19:12:16.451729059 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:16.530651093 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:16.530862093 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:16.566533089 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:16.656225920 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:16.683962107 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:16.832526922 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:16.904267073 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:16.904393911 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:16.984352112 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:28.577745914 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:28.670877934 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:28.671067953 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:28.700054884 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:28.744337082 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:28.772017002 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:28.808320999 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:28.888947964 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:28.889134884 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:28.967809916 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:40.849802017 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:40.919904947 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:40.925098896 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:40.954245090 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:41.011068106 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:41.043493032 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:41.089118958 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:41.098615885 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:41.170604944 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:41.171689034 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:41.248167038 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:50.921273947 CET | 49709 | 80 | 192.168.2.6 | 93.184.220.29 |
| Feb 27, 2023 19:12:50.939707041 CET | 80 | 49709 | 93.184.220.29 | 192.168.2.6 |
| Feb 27, 2023 19:12:50.939836979 CET | 49709 | 80 | 192.168.2.6 | 93.184.220.29 |
| Feb 27, 2023 19:12:55.917112112 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:55.997915983 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:55.998095036 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:56.027657986 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:56.075226068 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:56.103025913 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:56.128896952 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:56.201147079 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:12:56.201338053 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:12:56.279298067 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:01.184989929 CET | 49683 | 443 | 192.168.2.6 | 20.190.159.5 |
| Feb 27, 2023 19:13:01.356775045 CET | 49684 | 443 | 192.168.2.6 | 40.126.31.70 |
| Feb 27, 2023 19:13:01.365171909 CET | 49685 | 443 | 192.168.2.6 | 40.126.31.70 |
| Feb 27, 2023 19:13:05.696619987 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:05.779391050 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:05.779546976 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:05.808697939 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:05.856870890 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:05.884537935 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:05.905389071 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:05.982521057 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:05.982654095 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:06.060770035 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:17.950309992 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:18.030042887 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:18.030193090 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:18.059967041 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:18.108022928 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:18.138520956 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:18.145309925 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:18.217257977 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:18.217431068 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:18.296447992 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:30.156754971 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:30.232592106 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:30.234091997 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:30.263084888 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:30.312685013 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:30.340630054 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:30.341931105 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:30.420027018 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Feb 27, 2023 19:13:30.420202017 CET | 49718 | 4449 | 192.168.2.6 | 91.134.187.20 |
| Feb 27, 2023 19:13:30.498017073 CET | 4449 | 49718 | 91.134.187.20 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 27, 2023 19:12:12.347565889 CET | 8.8.8.8 | 192.168.2.6 | 0x5272 | No error (0) | 13.107.43.16 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:11:20 |
| Start date: | 27/02/2023 |
| Path: | C:\Users\user\Desktop\UxaZyTE7nq.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x1dc91420000 |
| File size: | 363008 bytes |
| MD5 hash: | 91A442B21FB353B221EA33E767C7FE1B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
| Target ID: | 1 |
| Start time: | 19:11:28 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x198d6330000 |
| File size: | 258144 bytes |
| MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 2 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x1f77e8a0000 |
| File size: | 126560 bytes |
| MD5 hash: | F31014EE4DE7FE48E9B7C9BE94CFB45F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 3 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x186a8be0000 |
| File size: | 42080 bytes |
| MD5 hash: | 11D8A500C4C0FBAF20EBDB8CDF6EA452 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 4 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x1a018270000 |
| File size: | 96864 bytes |
| MD5 hash: | 2B6A31DFD7C9ED8B413DBDAB800F10F3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 5 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x20cfa730000 |
| File size: | 64096 bytes |
| MD5 hash: | 2B5D765B33C67EBA41E9F47954227BC3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 6 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x174169e0000 |
| File size: | 32872 bytes |
| MD5 hash: | D91462AE31562E241AF5595BA5E1A3C4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 7 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x2126f360000 |
| File size: | 136296 bytes |
| MD5 hash: | 7EC8B56348F9298BCCA7A745C7F70E2C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 8 |
| Start time: | 19:11:29 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7aa180000 |
| File size: | 174184 bytes |
| MD5 hash: | FBA5E8D94C9EADC279BC06B9CF041A9A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 9 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x1fcf0460000 |
| File size: | 44648 bytes |
| MD5 hash: | BF7E443F1E1FA88AD5A2A5EB44F42834 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 10 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x28d293e0000 |
| File size: | 42600 bytes |
| MD5 hash: | 65D30D747EB31E108A36EBC966C1227D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 11 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff701c60000 |
| File size: | 128584 bytes |
| MD5 hash: | B00E9325AC7356A3F4864EAAAD48E13F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 12 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff60e470000 |
| File size: | 47280 bytes |
| MD5 hash: | 33BB8BE0B4F547324D93D5D2725CAC3D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 13 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7bec50000 |
| File size: | 270440 bytes |
| MD5 hash: | 80B018258257C2F78CBFE08198883AC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 14 |
| Start time: | 19:11:30 |
| Start date: | 27/02/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb50000 |
| File size: | 46688 bytes |
| MD5 hash: | 2B40A449D6034F41771A460DADD53A60 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
Execution Graph
| Execution Coverage: | 15.6% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 10.6% |
| Total number of Nodes: | 530 |
| Total number of Limit Nodes: | 91 |
Graph
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA44A5BC9 Relevance: 1.9, Instructions: 1893COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA44902E8 Relevance: 1.6, APIs: 1, Instructions: 124nativethreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA44902F8 Relevance: 1.6, APIs: 1, Instructions: 119nativethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4496858 Relevance: .9, Instructions: 902COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA44924AD Relevance: .7, Instructions: 726COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA449BC59 Relevance: .5, Instructions: 523COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA455131A Relevance: 1.1, Instructions: 1117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4550186 Relevance: .6, Instructions: 567COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4550950 Relevance: .4, Instructions: 440COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA45515E9 Relevance: .4, Instructions: 428COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4550B6B Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4551B29 Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA45501B8 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFCA4552CA8 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 7.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 30 |
| Total number of Limit Nodes: | 0 |
Graph
Function 01502668 Relevance: 2.0, APIs: 1, Instructions: 457nativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01502AC0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01508D98 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01508DA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01501C18 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01503CC8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |