s9SWgUgyO5.exe

Status: finished

Submission Time: 2021-09-27 20:20:45 +02:00

Malicious

Trojan

Exploiter

Evader

Nanocore

Comments

Details

Analysis ID:
491708
API (Web) ID:
859275
Analysis Started:

2021-09-27 20:26:26 +02:00
Analysis Finished:

2021-09-27 20:42:14 +02:00
MD5:
b462382cb954466386f9334247e0a34c
SHA1:
0ac9e261eafc36f2d8a7bda5755b44c9d8c883e9
SHA256:
6a19a144807268d406c6da55513ae24493b2d411ba8e2a2e15567d66e55d976b
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 9/35

malicious

Score: 10/28

IPs

IP	Country	Detection
162.159.130.233	United States
194.147.140.25	unknown
162.159.133.233	United States

Domains

Name	IP	Detection
cdn.discordapp.com	162.159.133.233
friomo.duckdns.org	194.147.140.25

URLs

Name	Detection
https://appexmapsappupdate.blob.core.windows.net
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://dev.ditu.live.com/mapcontrol/logging.ashx
Click to see the 38 hidden entries
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://dynamic.t
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://activity.windows.com
http://www.bingmapsportal.com
https://dev.ditu.live.com/REST/v1/Locations
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.virtualearth.net/REST/v1/Routes/
https://cdn.discordapp.com/attachments/886962207051640872/890689205934620692/4102A6C4.jpg
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
http://crl.ver)
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
https://cdn.discordapp.com
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
http://google.com
https://%s.xboxlive.com
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations

Dropped files

Name	File Type	Hashes
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s9SWgUgyO5.exe_906cf9c9d383b63dc7dffe55c9f4374d6972c2_bc6c4cc7_044e01f0\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\Users\Public\Documents\???????????????\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\Public\Documents\???????????????\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 54 hidden entries
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators, with overstriking	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzm0yq0h.1yh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xsvq2co.5px.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyz0njed.lca.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq2mhz2z.irn.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmzxtpal.wlv.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbngdk45.hvk.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx5b0ha2.mrm.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rslbwbev.gpk.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2q3ne0h.er5.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvx0vfuv.bx0.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1nf1r4w.p5l.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvraegol.fzc.psm1	very short file (no magic)	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.9xOhnXgG.20210927202809.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.Axn3CWdN.20210927202806.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.IFp2s05x.20210927202733.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.J9PIXj6a.20210927202731.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.JSwVICU1.20210927202749.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.KdadWnHW.20210927202810.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.lgnlqOM5.20210927202750.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.mbVnUaXY.20210927202729.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210927\PowerShell_transcript.910646.tfVce1MH.20210927202752.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73D9.tmp.txt	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xa184da57, page size 16384, DirtyShutdown, Windows version 10.0	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_f7137cbad9f7f196b5e4d4e5d71130be24217a9_1341e600_0bfe5ce1\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_f7137cbad9f7f196b5e4d4e5d71130be24217a9_1341e600_15a2778d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CFA.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Sep 28 03:28:15 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D71.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F37.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F47.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5718.tmp.txt	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62AE.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Sep 28 03:28:27 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C44.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E0A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E1C.tmp.csv	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrkzr5yy.54x.psm1	very short file (no magic)	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEBB.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Sep 28 03:27:52 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE958.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA82.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAAF.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2DE.tmp.txt	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vptdszn.afy.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21by5mbg.ozg.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3la1bnrc.tow.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zzq33dl.zko.ps1	very short file (no magic)	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxgvoyop.yop.ps1	very short file (no magic)	#

s9SWgUgyO5.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

s9SWgUgyO5.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

s9SWgUgyO5.exe