Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882710
MD5:	296fd972f13fe3f371d16ff2430a3e81
SHA1:	056a3fbe0a88a39348e8b99f0cffb3c6e63b5655
SHA256:	7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5
Tags:	NETexeMSIL
Infos:

Detection

BlackGuard

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected BlackGuard

Multi AV Scanner detection for submitted file

.NET source code contains very large array initializations

Yara detected Costura Assembly Loader

Machine Learning detection for sample

.NET source code contains potential unpacker

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 3360 cmdline: C:\Users\user\Desktop\file.exe MD5: 296FD972F13FE3F371D16FF2430A3E81)

WerFault.exe (PID: 5956 cmdline: C:\Windows\system32\WerFault.exe -u -p 3360 -s 944 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

Threatname: BlackGuard

{"C2 url": "http://94.142.138.111"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.13ebcb40.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.13ebcb40.2.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.13ebcb40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1bc10000.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1bc10000.3.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1bc10000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.1bc10000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.1bc10000.3.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.1bc10000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.13ebcb40.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.13ebcb40.2.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.13ebcb40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.134c4648.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.134c4648.1.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.134c4648.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.134c4648.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.134c4648.1.raw.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.2.file.exe.134c4648.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.1bc10000.3.raw.unpack

Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"}

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 46%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdbG> source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb< source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\file.PDBL8 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.00000000012CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.0 source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba5c5 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

.NET source code contains very large array initializations

Source: file.exe, VK/Program.cs

Large array initialization: GlobaLeess: array initializer size 3484704

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, 00000000.00000002.410474117.0000000001279000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3360 -s 944

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3360 -s 944

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3360

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C19.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 3661312 > 1048576

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdbG> source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb< source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\file.PDBL8 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.00000000012CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.0 source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER7C19.tmp.dmp.3.dr
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba5c5 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: file.exe, VK/Program.cs	.Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: file.exe, VK/Program.cs	.Net Code: Ehti

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	ByteCode-MSIL.Packed.Generic
file.exe	46%	Virustotal		Browse
file.exe	100%	Avira	HEUR/AGEN.1311119
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882710
Start date and time:	2023-06-06 17:21:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@2/5@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Execution Graph export aborted for target file.exe, PID 3360 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:22:11	API Interceptor	2x Sleep call for process: file.exe modified
17:22:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d2892c472895a2b98efdcdcd7642ab4d7ea6c2_3b20dbdc_17059a9d\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0154175955898803
Encrypted:	false
SSDEEP:	192:FaBDbqevl2/NHJivpxIxa1ukczu/u7s1S274ltoB:2DbDoJivpoackh/u7s1X4ltc
MD5:	5D7C9AA3EEF5CC7D1ABB8FFB78C3FECB
SHA1:	F7049D063B2313BB3F38E13F60B1C014628F14D2
SHA-256:	2BC6CE33C528A5B6195C2D819AB4393D3A7A3044307E28F1C60143985ADBC10F
SHA-512:	F44882EBFC915880146CEA2D1F4BB8BF9FFCAA61D385D87B11E0E77148D444FAE84791E18E640FF51A9267C396645FCE8B2D0ACE84E57F245D60526879F811D9
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.7.0.9.3.7.6.2.9.6.2.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.7.0.9.3.8.4.8.8.9.5.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.d.6.a.0.3.d.-.1.2.2.c.-.4.8.8.3.-.9.9.8.8.-.e.a.7.6.3.6.c.e.b.3.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.c.2.2.a.9.c.-.c.5.c.6.-.4.c.0.c.-.8.5.5.5.-.9.2.d.9.9.1.6.9.d.3.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.y.t.h.o.n. .C.o.n.s.o.l.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.0.-.0.0.0.1.-.0.0.1.f.-.f.9.1.5.-.c.1.1.6.d.6.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.3.f.2.f.1.3.c.1.6.5.3.8.3.0.2.c.a.6.8.1.b.f.7.1.4.0.6.9.4.0.0.0.0.0.0.0.0.0.!.0.0.0.0.0.5.6.a.3.f.b.e.0.a.8.8.a.3.9.3.4.8.e.8.b.9.9.f.0.c.f.f.b.3.c.6.e.6.3.b.5.6.5.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C19.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jun 7 00:22:17 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	289968
Entropy (8bit):	3.3909347167244874
Encrypted:	false
SSDEEP:	3072:il9tolbqg5YuGUF0+EEShwv5XtS94hLPZkl9c4s:ebObqSBYhYdSwPZW
MD5:	81845BC11C970609E81A250C871F402B
SHA1:	29F03795D3E282977C3393FDF4847080F68D3BA3
SHA-256:	DD047031CA85FFEA7129EFC5A4BFFCA8BEA1BD28315EC10EC382CD216B9473A8
SHA-512:	DD0B95F708FA19F7FFE6BF89B7A2FAA79648A85ABCF5BB5EDDCE6AAF3CE4A96BF0FA1BDB211858BBC99125E642F99AAD27B123C1472A3861AE9A1CD2E67BE981
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d............$...............8...................D....I..........`.......8...........T...........@%..pG.......................!...................................................................U...........B......("......Lw................`.....T....... ......d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E1E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8816
Entropy (8bit):	3.70405814562524
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiCCeZ+6YqgBQgmfZDLeSUpCprr89bpb+hfjDm:RrlsNiog6Yt2gmf0SUdpbof2
MD5:	FB7B29A54D8CF8060A2DF2713E668E59
SHA1:	58190D23054A48AD969A89DE13EAA6DF8970FA7B
SHA-256:	285CF8C1B2948009E7BE858FB0D0B0A274D340CEEB4E6FB919E28E1D23E84B75
SHA-512:	DF967CA532966182155694A2D23319B644C6526F1C76AA81EAB531B5C9142E8E95A06E4F8FF7DB974B07D588DDC564C30828E4705DAF75A7AC305FF8FAFEF984
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E4D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4781
Entropy (8bit):	4.481383546237062
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtBI9XXWgc8sqYjQ8fm8M4JFXFzQyq8vx9eUurGcTxkd:uITflNmgrsqYhJvQWneUjcTxkd
MD5:	E15867255930E0632D7C0E0D4784C21B
SHA1:	B64BD604EBE9D7AA4F9B9A75047E7B0FE4EEFF7F
SHA-256:	16822727642A0792854113C8A8D9D5759CC1ADA9A584DFFC340A4843D5388799
SHA-512:	4E4C9241161A7F33D458BAA0F2DA1ECD17A7AC6E0A644727DE501A9217595BA00D7AC384313F65B8F50F982F31F21CCBD12203D48B02CA8075878D6DEC870353
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074172" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.286984272816522
Encrypted:	false
SSDEEP:	12288:v/jK0Th312aptTSP2C/doN515xzNu2R+GrNHk+DVl/IQG6bnv/OmaaoS:DK0Th312aptTSP+HL
MD5:	3D402A369D6390F9E65DE08D1DE8637F
SHA1:	62924C83353B75BB7A5D9B9DD38AFA62B390DB45
SHA-256:	24FC9B4DA4BA3FC4012009E644D029CD56EF645B9A40574438524D004AB7B3AE
SHA-512:	031F4853E87EA16820D9718A8B14F426480C9876975C8F3785FB7EF957552DCD39594BA3F5A2135554DF6E32AC49DF6D293FD776ACF4618E3D013B85A64C111B
Malicious:	false
Reputation:	low
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm._....................................................................................................................................................................................................................................................................................................................................................@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9353492722044665
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	3661312
MD5:	296fd972f13fe3f371d16ff2430a3e81
SHA1:	056a3fbe0a88a39348e8b99f0cffb3c6e63b5655
SHA256:	7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5
SHA512:	35c8a54f60f440333bb282459eb4db7f62f5abfb4c16fa0655df8d5a434f66b49bbb7a49543741462f60439ee6bf8b2b9547b7241954e500687cc06bd226ccb1
SSDEEP:	98304:46UJZSh7kjoRtHOrpMsgD+TPzxpCQcYOi:pwQh7kjoihFTZOi
TLSH:	77063355A98690D4C4FE96394B778BF51B5E4E0374E6C24E33D4BB26C8BC084F9293A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ld.................<5..<.......Z5.. ...`5...@.. ........................6...........@................................

File Icon


Icon Hash:	196d763009651118

Static PE Info

General

Entrypoint:	0x755ade
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x646CB611 [Tue May 23 12:48:17 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x355a8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x356000	0x138a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x353ae4	0x353c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x356000	0x138a0	0x13a00	False	0.49946506767515925	data	6.156042221592264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36a000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x356340	0x3d97	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x35a0d8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors
RT_ICON	0x35b700	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
RT_ICON	0x35c5a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x35ce50	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors
RT_ICON	0x35d518	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
RT_ICON	0x35da80	0x30fa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x360b7c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0x364da4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x36734c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x3683f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0x368d7c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0x3691e4	0xae	data
RT_VERSION	0x369294	0x420	data
RT_MANIFEST	0x3696b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 3360, Parent PID: 3452

General

Target ID:	0
Start time:	17:22:05
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xb00000
File size:	3661312 bytes
MD5 hash:	296FD972F13FE3F371D16FF2430A3E81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5956, Parent PID: 3360

General

Target ID:	3
Start time:	17:22:17
Start date:	06/06/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3360 -s 944
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 3360, Parent PID: 3452COMMON

Executed Functions

Function 00007FFBAC0F05F0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FFBAC0F073F

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: 5c9865ae0f52e95eeba929f1973e161416fd769209af94b864a886e6ef078db6
Instruction ID: 89b5385e010af0b1f5db0a2736e5cd5f97085fe10b4574c6ec95c62fa23fdf7d
Opcode Fuzzy Hash: 5c9865ae0f52e95eeba929f1973e161416fd769209af94b864a886e6ef078db6
Instruction Fuzzy Hash: 7991D5A1F0991A4FEBA5EB3CC45DAB877E1FF58305B0401B9D44DC32A2DE28DC5A8790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F05D5 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FFBAC0F073F

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: e525733de1ebead25f7bc081802c1bbc962ba1a7f1c9ba15ed83757eea5446f4
Instruction ID: 3578283561183e3936f745b2167790efffdc0313e0693f4029a3691f5879fe1e
Opcode Fuzzy Hash: e525733de1ebead25f7bc081802c1bbc962ba1a7f1c9ba15ed83757eea5446f4
Instruction Fuzzy Hash: 4861A5A1E0995A4FEBA5E73CC419A687BE1FF58305B0401B9D44DC32A2EE28DC5A8791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F068D Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

,5, xrefs: 00007FFBAC0F073F

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID: ,5
API String ID: 0-2827890815
Opcode ID: 38b55402bf120245c0daff715d21da1cf1939a9c3407f615b7dcb8ab6e0e8319
Instruction ID: 8c29c1dc4ff8ca173597425354031f9348c0cd8ed5ad0c8efedbb30e88723db8
Opcode Fuzzy Hash: 38b55402bf120245c0daff715d21da1cf1939a9c3407f615b7dcb8ab6e0e8319
Instruction Fuzzy Hash: 365197B1E099594FDBA5EB2CC85DAA97BE1FF58301B0401B5D44DC32A2DF28DC568B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F0144 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939c3bc115abdecb159271fe46ed5f5df4c5d0d8b19d0c88d7b5e75cab9f6eba
Instruction ID: 441eba0f4168fad274c131a53194acb04a597a20ce97cba5133d477efaea1165
Opcode Fuzzy Hash: 939c3bc115abdecb159271fe46ed5f5df4c5d0d8b19d0c88d7b5e75cab9f6eba
Instruction Fuzzy Hash: 3D21C951F1866E8BE709F7B8C8916B92662EFC9300F8514B9E04BC71D3DC5C9812D3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F08C5 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff99de842795bfb8084838f8502c72e659dcd13bc5928d0f228dec7f0d53441c
Instruction ID: 401c59d25472a5963b55961cdf985d3873e41be87d31fcb8876926ed6ece0091
Opcode Fuzzy Hash: ff99de842795bfb8084838f8502c72e659dcd13bc5928d0f228dec7f0d53441c
Instruction Fuzzy Hash: 5A31D07160CA8C4FC795EB68C8589AABFE1FF99311B0501AFE08DC7262DB65CC55C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F08FE Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd12c66e23bab1f0f6867b80aa57a971b9650500fb954e25159186aea06bf3d
Instruction ID: 9264301236cb85c88d6f3f1f2031e89e21fe26cbb86cde81f71b80595fcaf0a2
Opcode Fuzzy Hash: 6cd12c66e23bab1f0f6867b80aa57a971b9650500fb954e25159186aea06bf3d
Instruction Fuzzy Hash: 1331E47060DAC84FC796DB78C428A667FE1EF5A211B0A01EFE089C7663CA65CC05C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F0822 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07469c123b8d8617749b3b2ce03e5834d5084cb9bf2bbad9cebf432a6e76161
Instruction ID: b6228393b67a34df2b66ca49e98338dbb368f7588fc9116827506d1f5b961849
Opcode Fuzzy Hash: a07469c123b8d8617749b3b2ce03e5834d5084cb9bf2bbad9cebf432a6e76161
Instruction Fuzzy Hash: 5E0162A1F1980E4FAF95F778985A6FCB3E2EB98215B044035D90ED3292DE199C5647C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC0F0549 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416132747.00007FFBAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac0f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a469633a657da2c3797ff29abdd5b0db61ae64ccf58c498edfebc23cfd22cd
Instruction ID: b6ab680eee4c9f75c55c212f612dc15f35f4f63cdbfd486cb5b827ac3825d251
Opcode Fuzzy Hash: 08a469633a657da2c3797ff29abdd5b0db61ae64ccf58c498edfebc23cfd22cd
Instruction Fuzzy Hash: 5E01B5D180F6560FEB66B3B08826AF82B915F46304F8504B5E80DC72D3DE4EEC9E4362

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: BlackGuard

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d2892c472895a2b98efdcdcd7642ab4d7ea6c2_3b20dbdc_17059a9d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C19.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E1E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E4D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

Windows Analysis Report
file.exe