ID: 199652 Sample Name: AF133EF1- 8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old Cookbook: default.jbs Time: 14:35:41 Date: 08/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 AV Detection: 6 Cryptography: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 11 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Copyright Joe Security LLC 2020 Page 2 of 16 Authenticode Signature 12 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 14 Resources 14 Imports 14 Possible Origin 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe PID: 3848 Parent PID: 3964 16 General 16 Disassembly 16 Code Analysis 16
Copyright Joe Security LLC 2020 Page 3 of 16 Analysis Report AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125 624423.old
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 199652 Start date: 08.01.2020 Start time: 14:35:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 31s Hypervisor based Inspection enabled: false Report type: light Sample file name: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old (renamed file extension from old to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 20.4% (good quality ratio 19.3%) Quality average: 76.2% Quality standard deviation: 27.9% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 48 0 - 100 false
Confidence
Copyright Joe Security LLC 2020 Page 4 of 16 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Copyright Joe Security LLC 2020 Page 5 of 16 Mitre Att&ck Matrix
Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Winlogon Process Process Injection 1 Input System Time Remote File Input Data Standard Eavesdrop on Remotely Accounts Interface 2 Helper DLL Injection 1 Capture 1 Discovery 1 Copy 1 1 Capture 1 Encrypted 1 Cryptographic Insecure Track Device Protocol 2 Network Without Communication Authorization Replication Execution Port Accessibility Deobfuscate/Decode Network Process Remote Data from Exfiltration Remote File Exploit SS7 to Remotely Through through API 2 Monitors Features Files or Sniffing Discovery 1 Services Removable Over Other Copy 1 1 Redirect Phone Wipe Data Removable Information 1 Media Network Calls/SMS Without Media Medium Authorization External Windows Accessibility Path Obfuscated Files or Input Security Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Information 2 Capture Software Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 2 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search Obfuscated Files or Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Information in Files Information Scripts Capture Encrypted Communication Swap Hijacking Discovery 1 2
Signature Overview
• AV Detection • Cryptography • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
Cryptography:
Uses Microsoft's Enhanced Cryptographic Provider
Networking:
Contains functionality to download additional files from the internet
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
System Summary:
Copyright Joe Security LLC 2020 Page 6 of 16 Detected potential crypto function
Found potential string decryption / allocating functions
Classification label
Might use command line arguments
PE file has an executable .text section and no other executable section
Reads software policies
Sample is known by Antivirus
PE / OLE file has a valid certificate
PE file contains a debug data directory
Binary contains paths to debug symbols
Data Obfuscation:
Contains functionality to dynamically determine API calls
Uses code obfuscation techniques (call, push, ret)
Persistence and Installation Behavior:
Contains functionality to download and launch executables
Malware Analysis System Evasion:
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Program does not show much activity (idle)
Program exit points
Anti Debugging:
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to register its own exception handler
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Contains functionality to query local / system time
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2020 Page 7 of 16 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 199652 Number of created Registry Values Sample: AF133EF1-8B1C-4BC4-90C5-4E2... Number of created Files Startdate: 08/01/2020 Visual Basic Architecture: WINDOWS Delphi Score: 48 Java
.Net C# or VB.NET
C, C++ or other language Multi AV Scanner detection started for submitted file Is malicious Internet
AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe
Simulations
Behavior and APIs
No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe 27% Virustotal Browse AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe 19% Metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2020 Page 8 of 16 Source Detection Scanner Label Link 127.0.0.1:1886/setState?s=%d&rand=%d 0% Avira URL Cloud safe 127.0.0.1:1886/waitForStateChange?s=%c&format=text 0% Avira URL Cloud safe 127.0.0.1:1886/waitForChangeInNumberOfItems?currentNum=%d 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe tsa.certum.pl0 0% Avira URL Cloud safe 127.0.0.1:1886/startpageapi/notification?ac=disable&rand=%dPathSOFTWARE 0% Avira URL Cloud safe 127.0.0.1:1886/waitForChangeInNumberOfItems?currentNum=%dcomplete.pngProgidSoftware 0% Avira URL Cloud safe 127.0.0.1:1886/shutdown 0% Virustotal Browse 127.0.0.1:1886/shutdown 0% Avira URL Cloud safe 127.0.0.1:1886/notification?a=waitForStateChange&enabled=%strueStop 0% Avira URL Cloud safe 127.0.0.1:1886/config/get?key=port 0% Avira URL Cloud safe 127.0.0.1:1886/notification?a=waitForStateChange&enabled=%s 0% Avira URL Cloud safe 127.0.0.1:1886/waitForStateChange?s=%c&format=texthomepage.urlsettings.urlabout.urlhelp.urlsh 0% Avira URL Cloud safe 127.0.0.1:1886/setState?s=%d&rand=%dhttp://127.0.0.1:1886/startpageapi/notification?ac=enable 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Copyright Joe Security LLC 2020 Page 9 of 16 JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
System is w10x64 AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe (PID: 3848 cmdline: 'C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_0917201912 5624423.exe' MD5: 3E124BE177B50F89106A8AC4D80512A9) cleanup
Copyright Joe Security LLC 2020 Page 10 of 16 Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.genieo.com/faq/11 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe www.genieo.com/faq/12 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/setState?s=%d&rand=%d AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe cs-g2-crl.thawte.com/ThawteCSG2.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe crl.thawte.com/ThawtePCA.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe updater.genieo.com/track_event? AF133EF1-8B1C-4BC4-90C5-4E2A33 false high event=engine_hang_restart F3FD57_09172019125624423.exe www.genieo.com/firsttime?p=WelcomeScreen: AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForStateChange?s=%c&format=text AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe www.genieo.com/faq/11uac_retry.pngShow AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForChangeInNumberOfItems? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown currentNum=%d F3FD57_09172019125624423.exe ocsp.thawte.com0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false URL Reputation: safe unknown F3FD57_09172019125624423.exe tsa.certum.pl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe 127.0.0.1:1886/startpageapi/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown ac=disable&rand=%dPathSOFTWARE F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForChangeInNumberOfItems? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown currentNum=%dcomplete.pngProgidSoftware F3FD57_09172019125624423.exe 127.0.0.1:1886/shutdown AF133EF1-8B1C-4BC4-90C5-4E2A33 false 0%, Virustotal, Browse unknown F3FD57_09172019125624423.exe Avira URL Cloud: safe analytics.genieo.com/track AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown a=waitForStateChange&enabled=%strueStop F3FD57_09172019125624423.exe www.genieo.com/firsttime?p= AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/config/get?key=port AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe AF133EF1-8B1C-4BC4-90C5-4E2A33 false high www.genieo.com/faq/12network_retry.pngMessageScreen F3FD57_09172019125624423.exe 127.0.0.1:1886/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown a=waitForStateChange&enabled=%s F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForStateChange? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown s=%c&format=texthomepage.urlsettings.urlabout.urlhelp.urlsh F3FD57_09172019125624423.exe 127.0.0.1:1886/setState? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown s=%d&rand=%dhttp://127.0.0.1:1886/startpageapi/notification F3FD57_09172019125624423.exe ?ac=enable crl.certum.pl/ca.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe
Contacted IPs
No contacted IP infos
Copyright Joe Security LLC 2020 Page 11 of 16 Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.5055325335076555 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe File size: 529248 MD5: 3e124be177b50f89106a8ac4d80512a9 SHA1: 34fb84156613413fa23e2f1d13b0db1111bc3f73 SHA256: a5bb815cc884cb784ae040de54aeca84f2d5c6eba5d56e 8693e4fd41efbfd9e6 SHA512: f46fd95c20671686bae2d87018b5d3c5b593bccca0bdc3f 851d68e32e0cada9c987494187a1d70be627ba26f18b25 66c8c2e9962554473f53ebf23831ad65de0 SSDEEP: 6144:J1289dsfSqVBqfyLoJtleYoXjjbJEjWg12TdZNb3Vd rVvrtcqATQTQAOmwNDBBvI:fP9dQn7kJtgfjjlEnTQ0UA BBveTiC File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... %..Na... a...a.....,.d...../.X.....9...... >."...a...d...F...x.....0.:...... `.....+. `...Richa...... PE..L..
File Icon
Icon Hash: 00828e8e8686b000
Static PE Info
General Entrypoint: 0x40f64a Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE Time Stamp: 0x5162C4F3 [Mon Apr 8 13:24:03 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: f79ac5f21170d2a7c2b023720bf0bfd4
Authenticode Signature
Signature Valid: true Signature Issuer: CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 1/5/2012 4:00:00 PM 2/7/2014 3:59:59 PM Subject Chain CN=Genieo Innovation LTD, O=Genieo Innovation LTD, L=Herzliah, S=Israel, C=IL Version: 3 Thumbprint MD5: BB121473E3277DBBEC0E04BDF2BF78D7
Copyright Joe Security LLC 2020 Page 12 of 16 Thumbprint SHA-1: 7A23DBA21278245291296B3E6C837E244B2F308C Thumbprint SHA-256: 076ACE776FD445FAF372022A6F4CA8D5779DEF55AFBE23199A74127B9E99FD1C Serial: 3FC43777FA374B717C09D098544C20F1
Entrypoint Preview
Instruction call 00007F30C8378770h jmp 00007F30C836A9AEh mov edi, edi push ebp mov ebp, esp sub esp, 10h push dword ptr [ebp+0Ch] lea ecx, dword ptr [ebp-10h] call 00007F30C8367087h movzx eax, byte ptr [ebp+08h] mov ecx, dword ptr [ebp-10h] mov ecx, dword ptr [ecx+000000C8h] movzx eax, word ptr [ecx+eax*2] and eax, 00008000h cmp byte ptr [ebp-04h], 00000000h je 00007F30C836AB39h mov ecx, dword ptr [ebp-08h] and dword ptr [ecx+70h], FFFFFFFDh leave ret mov edi, edi push ebp mov ebp, esp push 00000000h push dword ptr [ebp+08h] call 00007F30C836AAEEh pop ecx pop ecx pop ebp ret mov edi, edi push ebp mov ebp, esp sub esp, 10h push ebx xor ebx, ebx push esi push edi cmp dword ptr [ebp+10h], ebx je 00007F30C836AC0Bh push dword ptr [ebp+14h] lea ecx, dword ptr [ebp-10h] call 00007F30C836702Eh cmp dword ptr [ebp+08h], ebx jne 00007F30C836AB60h call 00007F30C836A2D8h push ebx push ebx push ebx push ebx push ebx mov dword ptr [eax], 00000016h call 00007F30C83673DCh add esp, 14h cmp byte ptr [ebp-04h], bl je 00007F30C836AB39h mov eax, dword ptr [ebp-08h] and dword ptr [eax+70h], FFFFFFFDh
Copyright Joe Security LLC 2020 Page 13 of 16 Instruction mov eax, 7FFFFFFFh jmp 00007F30C836ABCEh mov edi, dword ptr [ebp+0Ch] cmp edi, ebx je 00007F30C836AAFDh mov esi, 7FFFFFFFh cmp dword ptr [ebp+10h], esi jbe 00007F30C836AB5Ah call 00007F30C836A299h push ebx push ebx push ebx push ebx push ebx mov dword ptr [eax], 00000016h
Rich Headers
Programming Language: [ C ] VS2008 build 21022 [LNK] VS2008 build 21022 [ASM] VS2008 build 21022 [IMP] VS2005 build 50727 [RES] VS2008 build 21022 [C++] VS2008 build 21022
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7a48c 0xf0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x84000 0x314 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x80200 0x1160 .data IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x5b430 0x1c .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x771f0 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x5b000 0x388 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x59c63 0x59e00 False 0.463550721488 data 6.45619552974 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x5b000 0x2077a 0x20800 False 0.403605769231 data 5.60604573735 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x7c000 0x76d8 0x5400 False 0.294131324405 data 5.06309207923 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x84000 0x314 0x400 False 0.39453125 data 4.66231444685 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_MENU 0x840a0 0x118 data Hebrew Israel RT_MANIFEST 0x841b8 0x15a ASCII text, with CRLF line terminators English United States
Imports
DLL Import WS2_32.dll shutdown, inet_addr, htons, socket, connect, send, closesocket, WSAStartup, WSACleanup, recv, setsockopt
Copyright Joe Security LLC 2020 Page 14 of 16 DLL Import urlmon.dll URLDownloadToFileW PSAPI.DLL EnumProcesses, GetModuleBaseNameW, EnumProcessModules WININET.dll HttpSendRequestW, InternetCloseHandle, HttpOpenRequestW, HttpQueryInfoW, InternetSetOptionW, InternetCrackUrlW, InternetConnectW, InternetReadFile, InternetQueryDataAvailable, InternetOpenW KERNEL32.dll LeaveCriticalSection, CreateFileW, FlushFileBuffers, EnterCriticalSection, GetLocalTime, DeleteCriticalSection, GetExitCodeThread, CreateEventW, VirtualQuery, FreeLibrary, SetEvent, GetTickCount, ReadProcessMemory, GetProcAddress, OpenEventW, HeapAlloc, HeapFree, GetProcessHeap, DeleteFileW, SetLastError, WideCharToMultiByte, ReadFile, GetStartupInfoA, CopyFileW, WriteFile, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetModuleFileNameA, GetStdHandle, VirtualAlloc, VirtualFree, HeapCreate, HeapSize, InterlockedDecrement, GetCurrentThreadId, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, RaiseException, GetStartupInfoW, HeapReAlloc, RtlUnwind, GetSystemTimeAsFileTime, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetFileType, InitializeCriticalSection, SetFilePointer, GetFileSize, TerminateThread, lstrcpynW, CreateThread, GetTempFileNameW, GetTempPathW, ExitProcess, GetModuleHandleW, CloseHandle, TerminateProcess, GetExitCodeProcess, OpenProcess, GetLastError, MultiByteToWideChar, lstrlenA, Sleep, GetCommandLineW, CreateDirectoryW, ReleaseSemaphore, WaitForSingleObject, CreateSemaphoreW, GetConsoleCP, GetConsoleMode, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, SetHandleCount USER32.dll IsWindowVisible, GetLastInputInfo, wsprintfW, FindWindowW, GetDoubleClickTime, DestroyMenu, PostQuitMessage, PostMessageW, TrackPopupMenu, SetForegroundWindow, CheckMenuItem, ModifyMenuW, GetCursorPos, GetSubMenu, LoadMenuW, RegisterWindowMessageW, KillTimer, FillRect, InvalidateRect, SetTimer, DefWindowProcW, SetCursor, EndPaint, BeginPaint, ShowWindowAsync, ShowWindow, PtInRect, RegisterClassW, LoadImageW, SetWindowPos, SetWindowLongW, GetWindowLongW, CreateWindowExW, LoadCursorW, DestroyWindow, GetWindowRect, GetClassNameW, DispatchMessageW, TranslateMessage, GetMessageW, SendMessageW GDI32.dll CreateCompatibleDC, CreateRectRgnIndirect, SaveDC, SetStretchBltMode, GetClipBox, ExtSelectClipRgn, RestoreDC, TextOutW, SetTextAlign, SetTextColor, SetBkMode, SelectObject, SetPixel, DeleteObject, CreateBrushIndirect, GetStockObject, CreateDIBSection, DeleteDC, SetDIBitsToDevice, BitBlt, CreateFontW ADVAPI32.dll RegQueryValueExW, RegCreateKeyExW, RegCloseKey, RegEnumValueA, RegQueryInfoKeyA, RegOpenKeyExW, RegEnumValueW, CryptHashData, CryptDestroyHash, CryptCreateHash, CryptReleaseContext, CryptAcquireContextW, CryptGetHashParam, RegNotifyChangeKeyValue SHELL32.dll Shell_NotifyIconA, Shell_NotifyIconW, ShellExecuteW, CommandLineToArgvW, SHAppBarMessage, ShellExecuteExW, ShellExecuteA ole32.dll CoUninitialize, CoCreateGuid, CoInitialize, StringFromGUID2, CoInitializeEx SHLWAPI.dll StrTrimA, SHRegGetUSValueA, SHSetValueW, SHGetValueW, SHRegGetUSValueW
Possible Origin
Language of compilation system Country where language is spoken Map
Hebrew Israel
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Copyright Joe Security LLC 2020 Page 15 of 16 Analysis Process: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe PID: 3848 Parent PID: 3964
General
Start time: 14:36:51 Start date: 08/01/2020 Path: C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_0917201912 5624423.exe' Imagebase: 0x400000 File size: 529248 bytes MD5 hash: 3E124BE177B50F89106A8AC4D80512A9 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Disassembly
Code Analysis
Copyright Joe Security LLC 2020 Page 16 of 16