Edit tour

Windows Analysis Report
AjeraClient.exe

Overview

General Information

Sample name:	AjeraClient.exe
Analysis ID:	1416062
MD5:	40928e4178bda59e746e16881c5fe666
SHA1:	ee16e166193b73dd2e356c5f7e83371af8c2e457
SHA256:	3cef09741f920edcd4b7f0979ac2598c2ebff77323f614f566eb0e1d07cc4758
Infos:

Detection

Score:	17
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

AjeraClient.exe (PID: 4292 cmdline: "C:\Users\user\Desktop\AjeraClient.exe" MD5: 40928E4178BDA59E746E16881C5FE666)

WerFault.exe (PID: 3184 cmdline: C:\Windows\system32\WerFault.exe -u -p 4292 -s 724 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AjeraClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.AjeraClient.exe.287fa3d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: AjeraClient.exe

Static PE information: certificate valid

Source: AjeraClient.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb; source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER472.tmp.dmp.4.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: AjeraClient.exe, type: SAMPLE
Source: Yara match	File source: 0.0.AjeraClient.exe.287fa3d0000.0.unpack, type: UNPACKEDPE

Source: AjeraClient.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AjeraClient.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AjeraClient.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AjeraClient.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AjeraClient.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AjeraClient.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AjeraClient.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AjeraClient.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AjeraClient.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AjeraClient.exe	String found in binary or memory: http://fa1171/Ajera/SAService.rem
Source: AjeraClient.exe	String found in binary or memory: http://help.deltek.com/learningcentersecurity.aspx?version=8
Source: AjeraClient.exe	String found in binary or memory: http://help.deltek.com/learningcentersecurity.aspxSHelp
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/IntegrationService/AccountSetup
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/IntegrationService/DashboardUrl
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/IntegrationService/EmailCredentials
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/IntegrationService/Transmit
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/T
Source: AjeraClient.exe	String found in binary or memory: http://nelcosolutions.com/TU
Source: AjeraClient.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: AjeraClient.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: AjeraClient.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: AjeraClient.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: AjeraClient.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.AccountSetup
Source: AjeraClient.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.Transmit
Source: AjeraClient.exe	String found in binary or memory: http://timestamp.digicert.com
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: AjeraClient.exe	String found in binary or memory: http://www.axium.com/company/contact-us.aspx
Source: AjeraClient.exe	String found in binary or memory: http://www.axium.com/legal/SoftwareLicenseAjera.aspx/Ajera
Source: AjeraClient.exe	String found in binary or memory: http://www.axium.com/legal/SoftwareLicenseAjera.aspx?record=
Source: AjeraClient.exe	String found in binary or memory: http://www.axium.com/solutioncenter7https://www.ajerausers.org/-Crystal
Source: AjeraClient.exe	String found in binary or memory: http://www.axium.com/support/webinars.aspxghttp://www.axium.com/support/training-sessions.aspx
Source: AjeraClient.exe	String found in binary or memory: http://www.axiumae.com/DataUpload/CustomCrystal/
Source: AjeraClient.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: AjeraClient.exe	String found in binary or memory: http://www.greatland.com/Schemas/GWX/1.0/
Source: AjeraClient.exe	String found in binary or memory: http://www.surveymonkey.com/s/MGDWLLGkAxium
Source: AjeraClient.exe	String found in binary or memory: https://ajera.comEUnable
Source: AjeraClient.exe	String found in binary or memory: https://axium.nelcoportal.com/IntegrationService.svc
Source: AjeraClient.exe	String found in binary or memory: https://axium.nelcoportal.com/IntegrationService.svc?
Source: AjeraClient.exe	String found in binary or memory: https://axiumsdkdev.nelcoportal.com/IntegrationService.svc
Source: AjeraClient.exe	String found in binary or memory: https://axwebservices.axium.com/webservices/ajeraservice.asmx
Source: AjeraClient.exe	String found in binary or memory: https://update.axium.com/SQLEXPR_TOOLKIT.EXE;Downloading
Source: AjeraClient.exe	String found in binary or memory: https://update.axium.com/SqlServer/
Source: AjeraClient.exe	String found in binary or memory: https://update.axium.com/SupportingFiles/9Downloading
Source: AjeraClient.exe	String found in binary or memory: https://www.axium.com/DataUpload/
Source: AjeraClient.exe	String found in binary or memory: https://www.axium.com/DataUpload/ClientInvoiceDesignerInstallResults/cGCHandle
Source: AjeraClient.exe	String found in binary or memory: https://www.axium.com/DataUpload/InstallResults/EUnable
Source: AjeraClient.exe	String found in binary or memory: https://www.billandpay.com/business/authapp.php?appid=

Source: C:\Users\user\Desktop\AjeraClient.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4292 -s 724

Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: AjeraClient.exe	Binary or memory string: Ajera.RDLInvoices.VisualStudioReportProjectFiles.AjeraInvoiceFormat.sln/\AjeraInvoiceFormat.suo
Source: AjeraClient.exe	Binary or memory string: AjeraReporting\AjeraInvoiceFormat\AjeraCustomInvoiceFormat.rdl"MAjeraReporting\AjeraInvoiceFormat.sln"/\AjeraInvoiceFormat.sln
Source: AjeraClient.exe	Binary or memory string: /edit "QAjeraReporting\AjeraInvoiceFormat.sln" "
Source: AjeraClient.exe	Binary or memory string: Ajera.RDLInvoices.VisualStudioReportProjectFiles.AjeraInvoiceFormat.sln

Source: classification engine

Classification label: clean17.troj.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\AjeraClient.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4292

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9bb31423-38ff-42ad-b5f8-d577c945b4b1

Jump to behavior

Source: AjeraClient.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AjeraClient.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.84%

Source: C:\Users\user\Desktop\AjeraClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT tKey,tStatus,tProject,tActivity,tType,tDate,tUnits,tCostRate,tCostAmount,tBilledUnits,tBilledRate,tBilledAmount,tNotes,tInhouseExpense,tIsImported,tCompany, tGLCostControlEntity = CONVERT(INT, 0) FROM AxTransaction WHERE tKey = 0/ Importing expenses ;Credit Department Description+Credit Department Key)tGLCostControlEntity'sImportExpensePhase-sImportExpenseActivityaSELECT eKey FROM AxEntity WHERE eDescription = '
Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT , reIsUsed = CONVERT(Bit,0) FROM AxReportingEntity WHERE reKey <> / ORDER BY reDescriptionoSELECT FROM AxOrganizationalLevel ORDER BY olKey DESC; AND reOrganizationalLevel =
Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT COUNT(*) FROM AxRecurringGLDistribution WHERE glrdEntity = ;UPDATE AxVEC SET vecEntity = ' WHERE vecEntity = S AND vecIsEmployee = 1 AND vecStatus = 1GUPDATE AxVEC SET vecVendorEntity = 3 WHERE vecVendorEntity = O AND vecIsVendor = 1 AND vecStatus = 1mUPDATE AxActivity SET actInHouseExpenseCreditEntity = O WHERE actInHouseExpenseCreditEntity = CUPDATE AxProject SET prjEntity = ' WHERE prjEntity = IUPDATE AxBankAccount SET baEntity = % WHERE baEntity = ]UPDATE AxGLExpenseAllocation SET gleaEntity = ) WHERE gleaEntity = {UPDATE AxRecurringVendorInvoiceDistribution SET vridEntity = ) WHERE vridEntity = eUPDATE AxRecurringGLDistribution SET glrdEntity = ) WHERE glrdEntity = 'DepartmentSetupForm!Department Setup
Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT COUNT(*) FROM AxRecurringGLDistribution WHERE (glrdAccount = ;) OR (glrdCashBasisAccount =
Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT resProject FROM AxResource WHERE resActivityType = 1 AND resEmployee = {0}%Refreshing data...iRefresh of cache failed likely corrupted local cache;SELECT CAST(@@DBTS AS BIGINT)
Source: AjeraClient.exe, 00000000.00000000.2015086331.00000287FA3D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT pcEmployee, payW2Box, payW2Description, tYtdAmount = SUM(tPayrollAmount) FROM PayCheckPay WHERE payW2Box > 0 AND pcStatus = ; AND prPayDate >= '01/01/

Source: AjeraClient.exe	String found in binary or memory: Add Consultant/Add consultant resourceIrecalculate the cost and fee amounts
Source: AjeraClient.exe	String found in binary or memory: Rows Row-Add column to the left/Add column to the right
Source: AjeraClient.exe	String found in binary or memory: Rows Row-Add column to the left/Add column to the right
Source: AjeraClient.exe	String found in binary or memory: First Employee#Beginning install-Stopping Ajera Service
Source: AjeraClient.exe	String found in binary or memory: ===========/Installation successful
Source: AjeraClient.exe	String found in binary or memory: Update from ahttps://www.axium.com/DataUpload/InstallResults/EUnable to log installation results
Source: AjeraClient.exe	String found in binary or memory: Start/stop time
Source: AjeraClient.exe	String found in binary or memory: Start/stop time
Source: AjeraClient.exe	String found in binary or memory: pctYTDSubjectTo-AddedMedicareWagesTips7TaxOnAddedMedicareWagesTips7TotalSocialSecurityMedTaxes#SickPayAdjustment5FractionsOfCentsAdjustment=TotalDepositsOverpaymentForQtr

Source: unknown	Process created: C:\Users\user\Desktop\AjeraClient.exe "C:\Users\user\Desktop\AjeraClient.exe"
Source: C:\Users\user\Desktop\AjeraClient.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4292 -s 724

Source: C:\Users\user\Desktop\AjeraClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: AjeraClient.exe

Static PE information: certificate valid

Source: AjeraClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AjeraClient.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: AjeraClient.exe

Static file information: File size 8345424 > 1048576

Source: AjeraClient.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7ed000

Source: AjeraClient.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb; source: WER472.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER472.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER472.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\AjeraClient.exe	Memory allocated: 287FAEE0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Memory allocated: 287FCAB0000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\AjeraClient.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\AjeraClient.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\AjeraClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\AjeraClient.exe

Queries volume information: C:\Users\user\Desktop\AjeraClient.exe VolumeInformation

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AjeraClient.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://fa1171/Ajera/SAService.rem	0%	Avira URL Cloud	safe
https://ajera.comEUnable	0%	Avira URL Cloud	safe
https://update.axium.com/SupportingFiles/9Downloading	0%	Avira URL Cloud	safe
https://axium.nelcoportal.com/IntegrationService.svc	0%	Avira URL Cloud	safe
https://www.axium.com/DataUpload/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.AccountSetup	0%	Avira URL Cloud	safe
https://axwebservices.axium.com/webservices/ajeraservice.asmx	0%	Avira URL Cloud	safe
http://www.axium.com/solutioncenter7https://www.ajerausers.org/-Crystal	0%	Avira URL Cloud	safe
https://axium.nelcoportal.com/IntegrationService.svc?	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.Transmit	0%	Avira URL Cloud	safe
https://www.axium.com/DataUpload/ClientInvoiceDesignerInstallResults/cGCHandle	0%	Avira URL Cloud	safe
https://axiumsdkdev.nelcoportal.com/IntegrationService.svc	0%	Avira URL Cloud	safe
http://www.axiumae.com/DataUpload/CustomCrystal/	0%	Avira URL Cloud	safe
http://www.axium.com/support/webinars.aspxghttp://www.axium.com/support/training-sessions.aspx	0%	Avira URL Cloud	safe
https://update.axium.com/SqlServer/	0%	Avira URL Cloud	safe
https://www.axium.com/DataUpload/InstallResults/EUnable	0%	Avira URL Cloud	safe
http://www.axium.com/legal/SoftwareLicenseAjera.aspx?record=	0%	Avira URL Cloud	safe
http://www.axium.com/legal/SoftwareLicenseAjera.aspx/Ajera	0%	Avira URL Cloud	safe
http://www.axium.com/company/contact-us.aspx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fa1171/Ajera/SAService.rem	AjeraClient.exe	false	Avira URL Cloud: safe	low
http://help.deltek.com/learningcentersecurity.aspxSHelp	AjeraClient.exe	false		high
https://axwebservices.axium.com/webservices/ajeraservice.asmx	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://www.axium.com/solutioncenter7https://www.ajerausers.org/-Crystal	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://ajera.comEUnable	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://axium.nelcoportal.com/IntegrationService.svc	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://www.axium.com/DataUpload/	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://www.axium.com/DataUpload/ClientInvoiceDesignerInstallResults/cGCHandle	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://update.axium.com/SupportingFiles/9Downloading	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://axium.nelcoportal.com/IntegrationService.svc?	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.AccountSetup	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://nelcosolutions.com/IntegrationService/DashboardUrl	AjeraClient.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://schemas.datacontract.org/2004/07/FileTaxes.PartnerIntegration.Transmit	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://nelcosolutions.com/IntegrationService/Transmit	AjeraClient.exe	false		high
https://axiumsdkdev.nelcoportal.com/IntegrationService.svc	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://www.axium.com/support/webinars.aspxghttp://www.axium.com/support/training-sessions.aspx	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://nelcosolutions.com/IntegrationService/AccountSetup	AjeraClient.exe	false		high
http://nelcosolutions.com/TU	AjeraClient.exe	false		high
http://www.axiumae.com/DataUpload/CustomCrystal/	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://update.axium.com/SqlServer/	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://nelcosolutions.com/T	AjeraClient.exe	false		high
http://www.axium.com/legal/SoftwareLicenseAjera.aspx/Ajera	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
https://www.billandpay.com/business/authapp.php?appid=	AjeraClient.exe	false		high
http://help.deltek.com/learningcentersecurity.aspx?version=8	AjeraClient.exe	false		high
https://www.axium.com/DataUpload/InstallResults/EUnable	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://www.axium.com/legal/SoftwareLicenseAjera.aspx?record=	AjeraClient.exe	false	Avira URL Cloud: safe	unknown
http://www.greatland.com/Schemas/GWX/1.0/	AjeraClient.exe	false		high
http://www.surveymonkey.com/s/MGDWLLGkAxium	AjeraClient.exe	false		high
http://nelcosolutions.com/IntegrationService/EmailCredentials	AjeraClient.exe	false		high
http://nelcosolutions.com/	AjeraClient.exe	false		high
http://www.axium.com/company/contact-us.aspx	AjeraClient.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1416062
Start date and time:	2024-03-26 19:55:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AjeraClient.exe
Detection:	CLEAN
Classification:	clean17.troj.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: AjeraClient.exe

Simulations

Behavior and APIs

Time	Type	Description
19:56:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AjeraClient.exe_6563b875ae84bf1f0c3457b8eec59433e179d_2fc16863_449eee62-fe53-4c3a-9d43-053e873c7c56\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8895106424868332
Encrypted:	false
SSDEEP:	192:4+W4LTsaVA0biwMcaWAe5zuiFkZ24lO87Q:4qvsaVbbiwMcajwzuiFkY4lO87Q
MD5:	E015C208AEDA5ED6E846D2C0C089211E
SHA1:	6052E55CDA82DD2E81B6EEA63BA7FACC68FC01E6
SHA-256:	D75FD7ED857816D40F533C3A6D4C423A5287B2EE96717752FA82FEDECF205A92
SHA-512:	AF305BEFA25A98530D1203D947B95F56DD0E6A86ECDD36DB8FC1F1ACDE49FAF1DDE782EA8EDE9E34625E0D81B03010C8374286BE4DA91169F431F4C9E89681B6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.9.5.2.9.7.5.2.8.4.9.3.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.9.5.2.9.7.5.6.4.4.3.1.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.9.e.e.e.6.2.-.f.e.5.3.-.4.c.3.a.-.9.d.4.3.-.0.5.3.e.8.7.3.c.7.c.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.b.c.9.9.5.2.-.d.8.5.c.-.4.c.2.a.-.a.8.d.2.-.e.2.e.9.3.d.8.f.c.d.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.A.j.e.r.a.C.l.i.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.j.e.r.a.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.c.4.-.0.0.0.1.-.0.0.1.4.-.6.b.8.4.-.c.c.4.6.a.f.7.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.e.8.a.c.3.f.8.d.b.d.5.3.c.a.d.0.a.7.b.3.4.3.e.5.e.4.5.c.a.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.e.1.6.e.1.6.6.1.9.3.b.7.3.d.d.2.e.3.5.6.c.5.f.7.e.8.3.3.7.1.a.f.8.c.2.e.4.5.7.!.A.j.e.r.a.C.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER472.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Mar 26 18:56:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	261137
Entropy (8bit):	3.212196349087942
Encrypted:	false
SSDEEP:	1536:FV/kyd2IuFlibu2eCyPyyJ5S2Ff9SFWFZ9jCC8jH/8vYhAKCKmXh5+vMT9T:TkF4jrcSNFWv1CCqUvNRv3+vs9T
MD5:	47ED4C8C6D316AEF195A9EAD4DBA4144
SHA1:	491A1711DEE1AA40E1F0DAE581251051EFE0E8FD
SHA-256:	C9EB1AB90111A3C81459427160C65F116F227197E898B1654744587DE7F0AFF7
SHA-512:	CBB9FF4692387CE73F694BD26BEF626DD8332929C3F3863E27DB023DDE86411A2417685C5AA4FE76AF83A7ABC34D887FE67EF139C31DFC3BF815206B62D210C9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......O..f............$...............D.......$...........................`@..........l.......8...........T...............A.......................................................................................................eJ..............Lw......................T...........N..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8560
Entropy (8bit):	3.7003482863290302
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4jRSw6YEI3wkzFtagmfBC4dv3prj89bXrHfQdm:R6lXJyRSw6YE4wYFtagmfBC4dvuXLfX
MD5:	DB635B77E2A47C7625A5C1A0FDC1933A
SHA1:	48502C4E93853E4BB93D6DC434C8F93B582EE564
SHA-256:	F51EF108C7734D9182B6319C8D0C8322C003DD27FF3F8BE8020E984A670B0E7F
SHA-512:	31B7EEC873D33FF570B524EA7C8059FE6B240FD7CB7FC9A747CFCB05088AC5541AC929988C0A91C7948B11C9538787EA3F20C16F680EE2E3EF398052B39AEE44
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER54F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.483683264631342
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I983WpW8VYkuYm8M4J0sFjPyq85kyGRORd:uIjfpI7bG7V5HJD0IORd
MD5:	F62EF7864DC336EA1335629C87CD65B8
SHA1:	83ED6412407BB1FE2C96BA2C0AA0ACD847F1B4CB
SHA-256:	84880181B8AA128235CC4AA23924B41B693FFCD432E6A390777AA39FAC8F10CA
SHA-512:	114672ACC8D4D08F5E586D16900B68CBAA6AF9B821E1B0BDBDC91598439A76627B6C5724793E03B22E24C5779C05DE61A4D06EEA51709B77D5E22F77674F4728
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="252598" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421671641516117
Encrypted:	false
SSDEEP:	6144:RSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:ovloTMW+EZMM6DFyH03w
MD5:	19BF1C05C1F05E70857E52BC5A42E619
SHA1:	4F068F48B887099FEF30A98CFCAA7883C4886FA5
SHA-256:	3CD0803877BDEBE902E8755B66DC828FF8E2A28812CE8B6FD72DBEA0421E1181
SHA-512:	A1E90B7B174F61129E473974CF5025F78962474FE88576C09107CE7BB98B1CA7471ADA1FFD703E3ADB7400907AD4E6BC01836996A6874BE28A17B6BF98F1D520
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7G..................................................................................................................................................................................................................................................................................................................................................!s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.995926124590123
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.84% Win32 Executable (generic) a (10002005/4) 49.79% InstallShield setup (43055/19) 0.21% Visual Basic Script (13500/0) 0.07% Windows Screen Saver (13104/52) 0.07%
File name:	AjeraClient.exe
File size:	8'345'424 bytes
MD5:	40928e4178bda59e746e16881c5fe666
SHA1:	ee16e166193b73dd2e356c5f7e83371af8c2e457
SHA256:	3cef09741f920edcd4b7f0979ac2598c2ebff77323f614f566eb0e1d07cc4758
SHA512:	58fc061ad070c66b233198ae87ff4c6fbe4d2b63d804ec8b1009f42a4d6c51d55cb67b0834019291e546c9e748fadb6f8aff433fa030f3caad128066417548cf
SSDEEP:	49152:14S68ZfxaJVwKtGtHESMfUiD4cwXsasJnE3sb5E9a8v644ITdw1M0zLde:14S7fx+Gtkvff8ieTCJe
TLSH:	FC86B55072E82917E07A96F46A7094909BB3B86B5675C6DC3C8D329F1FF2F105A13B23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]F.e.........."...0...~..P........~.. ........... .......................`....... ....`................................

File Icon


Icon Hash:	6749b5b1272e371c

Static PE Info

General

Entrypoint:	0x117ee912
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DF465D [Wed Feb 28 14:42:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	13/08/2021 02:00:00 17/09/2024 01:59:59
Subject Chain	CN="Deltek, Inc.", OU=IT, O="Deltek, Inc.", L=Herndon, S=Virginia, C=US
Version:	3
Thumbprint MD5:	D125B9A1F86DA1000312829EE2B0E10F
Thumbprint SHA-1:	00C4F09E0CBC73CD5AE87A9F467C04946A8BA51B
Thumbprint SHA-256:	AE139B132D652880A80466B89B59FDAF264F8654B319512B303F0501D917F119
Serial:	0EDD3A7AD82E41D8EE30D6A26856D4F0

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
and byte ptr [eax], al
sub al, 00h
cmp eax, dword ptr [eax]
add byte ptr [eax], al
sub eax, B90E2047h
add al, 6Ch
dec edi
clc
or dh, dl
sahf
xor eax, 02404DFCh
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
xor dword ptr [eax], edi
add eax, dword ptr [edi+edx*2+5E62E19Eh]
call far 7C1Eh : B5E71CFDh
sub dword ptr [ebp+edi*4-17h], ebp
inc ebx
shr byte ptr [edx-06h], cl
inc eax
aam 77h
fstp tbyte ptr [eax+edx+79h]
or eax, 83B6707Fh
popfd
xchg eax, edi
jle 00007FDD68D55FBBh
xchg eax, esi
cdq
into
sub esp, esp
xor esi, ebx
xor al, D6h
and al, AFh
or ah, byte ptr [ecx+edx+7CDA24D8h]
cmp ah, cl
dec esp
push 2F005C3Eh
add byte ptr [edi], ah
add byte ptr [eax], al
add dl, cl
imul ebx, dword ptr [ecx], C4967BD0h
dec ecx
jnp 00007FDD68D55F5Ah
rol byte ptr [edx-6Bh], 1
wait
mov al, AFh
dec edx
retf 37ECh
loopne 00007FDD68D5600Ch
dec ebp
adc dword ptr [eax], eax
jp 00007FDD68D55F6Bh
insb
push edx
pop esi
mov word ptr [edx+ebp], seg?
sub byte ptr [edi+34h], dh
sti
lock xor dword ptr [ebx+7F961592h], esi
pop ss
xchg eax, esp
add al, byte ptr [eax]
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [edi], cl
add byte ptr [eax], al
add byte ptr [1E000000h], cl
add byte ptr [eax], al
add byte ptr [ecx], dl
add byte ptr [eax], al
add byte ptr [eax], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000018h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7ee8c0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7f0000	0x3f24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7f3000	0x2750
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7eca08	0x7ed000	d45586f1a22dc6fff31f4b499c3f308b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7f0000	0x3f24	0x4000	3c65a62ca677755ba87b03c2be26c2c3	False	0.2391357421875	data	3.5199727864748405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7f4000	0xc	0x1000	7f121fc8667530c229e7a713a953430a	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x7f0108	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.20259336099585062
RT_ICON	0x7f26c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2950281425891182
RT_ICON	0x7f3778	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.525709219858156
RT_GROUP_ICON	0x7f3bf0	0x30	data	0.8541666666666666
RT_VERSION	0x7f3c30	0x2f0	SysEx File - IDP	0.4321808510638298

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AjeraClient.exePID: 4292, Parent PID: 1028

General

Target ID:	0
Start time:	19:56:14
Start date:	26/03/2024
Path:	C:\Users\user\Desktop\AjeraClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\AjeraClient.exe"
Imagebase:	0x287fa3d0000
File size:	8'345'424 bytes
MD5 hash:	40928E4178BDA59E746E16881C5FE666
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3184, Parent PID: 4292

General

Target ID:	4
Start time:	19:56:15
Start date:	26/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4292 -s 724
Imagebase:	0x7ff67aee0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AjeraClient.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AjeraClient.exe_6563b875ae84bf1f0c3457b8eec59433e179d_2fc16863_449eee62-fe53-4c3a-9d43-053e873c7c56\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER472.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER54F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: AjeraClient.exePID: 4292, Parent PID: 1028

Windows Analysis Report
AjeraClient.exe