Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882706
MD5:	06c4b26e4b35eefdd3ba47c2a6316f0a
SHA1:	d3af04c23a9b80252445f713a1071f2cf72e6092
SHA256:	663f49a7b12d9ef01a0c3c98892d7c9a204cae1afc7bf134da02510b61195bb5
Tags:	NETexeMSIL
Infos:

Detection

BlackGuard

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected BlackGuard

Multi AV Scanner detection for submitted file

.NET source code contains very large array initializations

Yara detected Costura Assembly Loader

Machine Learning detection for sample

.NET source code contains potential unpacker

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 5788 cmdline: C:\Users\user\Desktop\file.exe MD5: 06C4B26E4B35EEFDD3BA47C2A6316F0A)

WerFault.exe (PID: 6804 cmdline: C:\Windows\system32\WerFault.exe -u -p 5788 -s 944 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

Threatname: BlackGuard

{"C2 url": "http://94.142.138.111"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.12d84648.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.12d84648.2.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.12d84648.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.12d84648.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.12d84648.2.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.12d84648.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1b2d0000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1b2d0000.3.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1b2d0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1377cb40.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1377cb40.1.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1377cb40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1377cb40.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1377cb40.1.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1377cb40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1b2d0000.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1b2d0000.3.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1b2d0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.1377cb40.1.raw.unpack

Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"}

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

.NET source code contains very large array initializations

Source: file.exe, VK/Program.cs

Large array initialization: GlobaLeess: array initializer size 3484704

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, 00000000.00000002.424893653.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5788

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 3491840 > 1048576

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: file.exe, VK/Program.cs	.Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: file.exe, VK/Program.cs	.Net Code: Ehti

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	ByteCode-MSIL.Packed.Generic
file.exe	44%	Virustotal		Browse
file.exe	100%	Avira	HEUR/AGEN.1311118
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882706
Start date and time:	2023-06-06 17:17:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Execution Graph export aborted for target file.exe, PID 5788 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:18:14	API Interceptor	2x Sleep call for process: file.exe modified
17:18:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2db7612a235b1823c476f2f7c37c3d2280d4ef70_4149fb10_1ad28681\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.014649401821877
Encrypted:	false
SSDEEP:	192:UfBbnZvk2xNHJivp1Exa1ukczu/u7skS274ltkBR:GbRNJivpQackh/u7skX4lto
MD5:	93EC89A81E2DF92893D8D4F2B16B5E2F
SHA1:	8412C3F18BCBA57967D6DB2A30DCA60F92C32020
SHA-256:	FFC45F7F8B86036D9321303E253E5DF4BA1B61EE7CFC6668D792D5F7A5D5F840
SHA-512:	DF73BAEDA7A709F5582A4CA5A7B908C1649386069ED3224D7DD089525F5FD5C462163CC0E8C0DC2E55DF9A53A3A8D965E8E4637BD5E039D84F9227D864F1EF46
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.7.0.6.9.9.5.0.6.2.8.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.7.0.7.0.3.4.5.9.4.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.3.e.8.d.d.3.-.b.0.6.2.-.4.b.9.a.-.8.e.8.c.-.b.e.a.d.9.1.8.e.2.4.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.b.e.2.3.8.f.-.2.e.0.7.-.4.a.1.0.-.a.9.a.3.-.1.4.9.3.c.f.5.b.f.0.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.y.t.h.o.n. .C.o.n.s.o.l.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.9.c.-.0.0.0.1.-.0.0.1.9.-.6.c.4.4.-.7.b.8.9.d.5.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.3.f.2.f.1.3.c.1.6.5.3.8.3.0.2.c.a.6.8.1.b.f.7.1.4.0.6.9.4.0.0.0.0.0.0.0.0.0.!.0.0.0.0.d.3.a.f.0.4.c.2.3.a.9.b.8.0.2.5.2.4.4.5.f.7.1.3.a.1.0.7.1.f.2.c.f.7.2.e.6.0.9.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jun 7 00:18:22 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	290520
Entropy (8bit):	3.3638026394446348
Encrypted:	false
SSDEEP:	3072:xWsHN3toluFZkGPZkl9ciFz5aggGhlRv5i324LBjRF0+NK72:4CNdOuIGPZ4z5a9q3i3DB
MD5:	B3D2DC96933C323C76CEDE918B7DB5E7
SHA1:	E5B6AC51E7A5C00FCC63D9351FFF9A833292E764
SHA-256:	EE195EB834F39E6AE58828BB602A28FB1E50E2D3E9788B8E4691D6EAA65706AF
SHA-512:	99CDE1A5BB98D31C9A7A98620813F37D16B5F0F092F5B9EDBA895FF7ED91AEF23706926BDF61E49AADEE5601522209E37E0A58CB4955DE64DB7294E6849E8835
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d............$...............8...................D....I..........`.......8...........T...........@%...I.......................!...................................................................U...........B......("......Lw..................D...T..............d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8816
Entropy (8bit):	3.703746760009639
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNimCBV6YBS6znygmfZDLcSUQCprw89bB1QfwLm:RrlsNiDV6YB/OgmfmSUVBCfx
MD5:	88867E95A9857C1DACADC643EF33C99D
SHA1:	831154B2AE0746FB03D86B45FAA6FE03C6E0875B
SHA-256:	FDCC6283C0F7726BFBC5B46F94D957D7F39C75404D6D5DF0811D5291A3A74A08
SHA-512:	E484592954F815AC4711F3E2EEC47DADD9D3A0F2D10761E99E7A76C880D317F826556AB1AB4D8FCDD5C2756758DD66B557F80173FF929E4DFE01BAF10C80D62C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7462.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4781
Entropy (8bit):	4.482827641496303
Encrypted:	false
SSDEEP:	48:cvIwSD8zsltJgtBI98KWgc8sqYjuy8fm8M4JvXF9Yyq8vjUUg/cKgkd:uITfdurgrsqYanJUWAUg/cKgkd
MD5:	A88F3F3BDA45DB3B46194B0115F204D9
SHA1:	BDE0869D2186A79F7E2414D6F7B4A08E43C74909
SHA-256:	D496D3BF6FA3343074FDDAEFBF723688880FD76B24FE1D9DE0F3F247F856E0FB
SHA-512:	512E88AC6BE6EDBC9DD884BE87583A075E635B21E70055647ED5D8C5C74682CDC9A43BFB4898561CA1198CB09FDE630F7194F3E5F1863AC4DC6D9B1D75F4339C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074169" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.337473739277329
Encrypted:	false
SSDEEP:	12288:cNSf0Th31TnpOTSPT+MyQwmjLmuppBsdvBAaQNVLJA9LXxdM+Dbs16:KSf0Th31TnpOTSPUfH
MD5:	D628E413B830AE8CC9868372D30FBAE5
SHA1:	0544324723837FE703B9428C884E748E58C2252E
SHA-256:	33B9FFA1596F5D247AE4718D619319719E7D9526E9AB21A4C1860177EEA76445
SHA-512:	826C8FB5BB4F9DC2269C1CA712522EB657F314EBA206B3E92E04BF10E24510367BFD13F7731A55D343219E979AED2540A9A37580E64F953A559381F4D909A91B
Malicious:	false
Preview:	regfX...X...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm."................................................................................................................................................................................................................................................................................................................................................_...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9998114647864
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	3491840
MD5:	06c4b26e4b35eefdd3ba47c2a6316f0a
SHA1:	d3af04c23a9b80252445f713a1071f2cf72e6092
SHA256:	663f49a7b12d9ef01a0c3c98892d7c9a204cae1afc7bf134da02510b61195bb5
SHA512:	9a0a59908d1752b9e7b9e27ed4113b69a00cdfd7f9e015ea1459a758a9469615c8286d8cdc23ce435195042839c8e35f4d10eebcb8379be2198007203d0fd229
SSDEEP:	49152:6NSK+2TE7nIYHIdHwA8J4Nc/bffdxBtvg8aqBpbzU2OggC1Bn5vs5:6+2uBodQK6DffbB2PSJzlLg65v
TLSH:	0DF533588E5A8DE7F012477CE09D79E266E3FA0AFD3117691300B59E7593E3C24E81AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ld.................<5..........Z5.. ...`5...@.. ........................5...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x755ade
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x646CB97F [Tue May 23 13:02:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x355a8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x356000	0x6ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x358000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x353ae4	0x353c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x356000	0x6ac	0x800	False	0.36279296875	data	4.624206103000978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x358000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3560a0	0x420	data
RT_MANIFEST	0x3564c0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5788, Parent PID: 3324

General

Target ID:	0
Start time:	17:18:08
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x2c0000
File size:	3491840 bytes
MD5 hash:	06C4B26E4B35EEFDD3BA47C2A6316F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6804, Parent PID: 5788

General

Target ID:	3
Start time:	17:18:19
Start date:	06/06/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5788 -s 944
Imagebase:	0x7ff6f2480000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5788, Parent PID: 3324COMMON

Executed Functions

Function 00007FF9A56105F0 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FF9A561073F

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: a19a90c2d795a8f23faae0fe0ffa9efa9895ba292344039908a6aa02dcc352de
Instruction ID: a6f83a4ac9e4c1879f90d33d30f71e5c06f09d90a4f5ae3d3541523695161a4a
Opcode Fuzzy Hash: a19a90c2d795a8f23faae0fe0ffa9efa9895ba292344039908a6aa02dcc352de
Instruction Fuzzy Hash: 0D91C561F0DA094FEF94EB6C94597BC77D1FF9A711B04417AE08DC3292EE68AC458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56105D5 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FF9A561073F

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: 15a45840fd55c8e00bf0aad5a90ac27827046366fc33a268d7553e29cc721a99
Instruction ID: a599e0e983ebb206512b135d8831864fdf6668d6043ed2f25b3e3a8376ca1011
Opcode Fuzzy Hash: 15a45840fd55c8e00bf0aad5a90ac27827046366fc33a268d7553e29cc721a99
Instruction Fuzzy Hash: 32619661F0DA494FEB94EB2C945967C77D1FF9A711B0441BAD08DC32A3EE28AC458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A561068D Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FF9A561073F

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: 1caca3d0ca7655eb8948cc2f45386da7d2017ea8d9ed6d2352b86ffea9ea1299
Instruction ID: 534b0a9953fef56ba3a803e517755049718e7127a0be5d67ba7f9e7923d50a7f
Opcode Fuzzy Hash: 1caca3d0ca7655eb8948cc2f45386da7d2017ea8d9ed6d2352b86ffea9ea1299
Instruction Fuzzy Hash: 92518471F199498FDB94EB2C8459BBD77E1FF59711B04017AE08DC32A2EE24EC458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5610078 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d1ee80aa256257fb5dbed5c31315e89e1fb44f49fccfaec335b4ffd65af382
Instruction ID: d2d25187784473eab1f232c00fd346b88d79ae56c10b4c9704ebd2e3ca97b051
Opcode Fuzzy Hash: 88d1ee80aa256257fb5dbed5c31315e89e1fb44f49fccfaec335b4ffd65af382
Instruction Fuzzy Hash: BC41D426F186965BE704B778B4961FA2F90BF83320B4444BBD5CDCB093DD18694A4395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5610090 Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c93cd7206e9a1ad4c3594cbe31fc6f38dd61288b68eae9063d93ca6f820db5
Instruction ID: f56843a01300926b4ccc978a880b13bf766eb0386568978a9f74928563de58f7
Opcode Fuzzy Hash: 36c93cd7206e9a1ad4c3594cbe31fc6f38dd61288b68eae9063d93ca6f820db5
Instruction Fuzzy Hash: F941F226F186965BE708B778B4961FA2F91FF83320B4044BBD6CDCB093DD18694A8394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5610098 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ab8e96e15384dfe1a501cc35a4c2f455f80d0c2b61a841545daae69df01620
Instruction ID: a29c97478c771286bbfb04e574912e09b761c242beb71566929ba50e52d509b1
Opcode Fuzzy Hash: b9ab8e96e15384dfe1a501cc35a4c2f455f80d0c2b61a841545daae69df01620
Instruction Fuzzy Hash: 7841E426F1C6861BE708B778B4971FA2F91BF83320B4044BBD6CDCB093DD18694A8394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56108C5 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0a42d8dcbd15d36d0983048f1276698bcdd13e2ef6d31049fb3a8aef1521b9
Instruction ID: dd1aa6691aabe35c0902fa9f2ccb8d14618b4f0eb1f0a240d55339cbc3694dd1
Opcode Fuzzy Hash: 7d0a42d8dcbd15d36d0983048f1276698bcdd13e2ef6d31049fb3a8aef1521b9
Instruction Fuzzy Hash: 5631C43160CA8C8FCB95EF28C454AA9BFE1FF99321B0501AFE08DC7662DB659805C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56108FE Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3074bf5a0395526dfd643498ca109cf529499f13f7fef3234cf6eabd6c9f539b
Instruction ID: 2f06e8d1b2cd7b4bb2330e9738877bc2e006c97e181a01a42f4cb3726570fb5a
Opcode Fuzzy Hash: 3074bf5a0395526dfd643498ca109cf529499f13f7fef3234cf6eabd6c9f539b
Instruction Fuzzy Hash: 7B31823064D6894FC796DB78C454A667FE1EF5A221B0601EFE089DB673CA65C805C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5610822 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd86e516d91c7bf4ed21f0556493b80760159c11f196bd99f0e1cc595bb1d2f
Instruction ID: 8a86edf74486868aaf94c7f6aa59c5fa0210aaaf161177a0cd15c92d9cb44816
Opcode Fuzzy Hash: 0fd86e516d91c7bf4ed21f0556493b80760159c11f196bd99f0e1cc595bb1d2f
Instruction Fuzzy Hash: 8B016D21F1A90D0FEFC8E76C645A3FCB3E2EB99A21B001036D44ED3282DE5878064680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5610549 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.430346385.00007FF9A5610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5610000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9198ea0d1739b7fb119d6526621cc13951ffd4e68f556a7d90d23fa62fbb3839
Instruction ID: b810e39c9ab40f6c0449ef5e1a8919c1c2f2f6112f27dc711a974e644085b53b
Opcode Fuzzy Hash: 9198ea0d1739b7fb119d6526621cc13951ffd4e68f556a7d90d23fa62fbb3839
Instruction Fuzzy Hash: 75018F10E8E6024BEB49F7B099133FC3A51AF87310F8564B6E88DC72D3ED9DB8494212

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: BlackGuard

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2db7612a235b1823c476f2f7c37c3d2280d4ef70_4149fb10_1ad28681\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7462.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe