Automated Malware Analysis Report for AF133EF1

ID: 199652 Sample Name: AF133EF1- 8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old Cookbook: default.jbs Time: 14:35:41 Date: 08/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 AV Detection: 6 Cryptography: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 11 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Copyright Joe Security LLC 2020 Page 2 of 16 Authenticode Signature 12 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 14 Resources 14 Imports 14 Possible Origin 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe PID: 3848 Parent PID: 3964 16 General 16 Disassembly 16 Code Analysis 16

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 199652 Start date: 08.01.2020 Start time: 14:35:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 31s Hypervisor based Inspection enabled: false Report type: light Sample file name: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.old (renamed file extension from old to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 20.4% (good quality ratio 19.3%) Quality average: 76.2% Quality standard deviation: 27.9% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 48 0 - 100 false

Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Winlogon Process Process Injection 1 Input System Time Remote File Input Data Standard Eavesdrop on Remotely Accounts Interface 2 Helper DLL Injection 1 Capture 1 Discovery 1 Copy 1 1 Capture 1 Encrypted 1 Cryptographic Insecure Track Device Protocol 2 Network Without Communication Authorization Replication Execution Port Accessibility Deobfuscate/Decode Network Process Remote Data from Exfiltration Remote File Exploit SS7 to Remotely Through through API 2 Monitors Features Files or Sniffing Discovery 1 Services Removable Over Other Copy 1 1 Redirect Phone Wipe Data Removable Information 1 Media Network Calls/SMS Without Media Medium Authorization External Windows Accessibility Path Obfuscated Files or Input Security Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Information 2 Capture Software Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 2 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search Obfuscated Files or Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Information in Files Information Scripts Capture Encrypted Communication Swap Hijacking Discovery 1 2

Signature Overview

• AV Detection • Cryptography • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Networking:

Contains functionality to download additional files from the internet

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

System Summary:

Found potential string decryption / allocating functions

Classification label

Might use command line arguments

PE file has an executable .text section and no other executable section

Reads software policies

Sample is known by Antivirus

PE / OLE file has a valid certificate

PE file contains a debug data directory

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Contains functionality to download and launch executables

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Program does not show much activity (idle)

Program exit points

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query local / system time

Malware Configuration

No configs have been found

Behavior Graph

Copyright Joe Security LLC 2020 Page 7 of 16 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 199652 Number of created Registry Values Sample: AF133EF1-8B1C-4BC4-90C5-4E2... Number of created Files Startdate: 08/01/2020 Visual Basic Architecture: WINDOWS Delphi Score: 48 Java

.Net C# or VB.NET

C, C++ or other language Multi AV Scanner detection started for submitted file Is malicious Internet

AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe 27% Virustotal Browse AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe 19% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2020 Page 8 of 16 Source Detection Scanner Label Link 127.0.0.1:1886/setState?s=%d&rand=%d 0% Avira URL Cloud safe 127.0.0.1:1886/waitForStateChange?s=%c&format=text 0% Avira URL Cloud safe 127.0.0.1:1886/waitForChangeInNumberOfItems?currentNum=%d 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe tsa.certum.pl0 0% Avira URL Cloud safe 127.0.0.1:1886/startpageapi/notification?ac=disable&rand=%dPathSOFTWARE 0% Avira URL Cloud safe 127.0.0.1:1886/waitForChangeInNumberOfItems?currentNum=%dcomplete.pngProgidSoftware 0% Avira URL Cloud safe 127.0.0.1:1886/shutdown 0% Virustotal Browse 127.0.0.1:1886/shutdown 0% Avira URL Cloud safe 127.0.0.1:1886/notification?a=waitForStateChange&enabled=%strueStop 0% Avira URL Cloud safe 127.0.0.1:1886/config/get?key=port 0% Avira URL Cloud safe 127.0.0.1:1886/notification?a=waitForStateChange&enabled=%s 0% Avira URL Cloud safe 127.0.0.1:1886/waitForStateChange?s=%c&format=texthomepage.urlsettings.urlabout.urlhelp.urlsh 0% Avira URL Cloud safe 127.0.0.1:1886/setState?s=%d&rand=%dhttp://127.0.0.1:1886/startpageapi/notification?ac=enable 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64 AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_09172019125624423.exe (PID: 3848 cmdline: 'C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_0917201912 5624423.exe' MD5: 3E124BE177B50F89106A8AC4D80512A9) cleanup

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.genieo.com/faq/11 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe www.genieo.com/faq/12 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/setState?s=%d&rand=%d AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe cs-g2-crl.thawte.com/ThawteCSG2.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe crl.thawte.com/ThawtePCA.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe updater.genieo.com/track_event? AF133EF1-8B1C-4BC4-90C5-4E2A33 false high event=engine_hang_restart F3FD57_09172019125624423.exe www.genieo.com/firsttime?p=WelcomeScreen: AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForStateChange?s=%c&format=text AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe www.genieo.com/faq/11uac_retry.pngShow AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForChangeInNumberOfItems? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown currentNum=%d F3FD57_09172019125624423.exe ocsp.thawte.com0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false URL Reputation: safe unknown F3FD57_09172019125624423.exe tsa.certum.pl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe 127.0.0.1:1886/startpageapi/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown ac=disable&rand=%dPathSOFTWARE F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForChangeInNumberOfItems? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown currentNum=%dcomplete.pngProgidSoftware F3FD57_09172019125624423.exe 127.0.0.1:1886/shutdown AF133EF1-8B1C-4BC4-90C5-4E2A33 false 0%, Virustotal, Browse unknown F3FD57_09172019125624423.exe Avira URL Cloud: safe analytics.genieo.com/track AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown a=waitForStateChange&enabled=%strueStop F3FD57_09172019125624423.exe www.genieo.com/firsttime?p= AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe 127.0.0.1:1886/config/get?key=port AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown F3FD57_09172019125624423.exe AF133EF1-8B1C-4BC4-90C5-4E2A33 false high www.genieo.com/faq/12network_retry.pngMessageScreen F3FD57_09172019125624423.exe 127.0.0.1:1886/notification? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown a=waitForStateChange&enabled=%s F3FD57_09172019125624423.exe 127.0.0.1:1886/waitForStateChange? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown s=%c&format=texthomepage.urlsettings.urlabout.urlhelp.urlsh F3FD57_09172019125624423.exe 127.0.0.1:1886/setState? AF133EF1-8B1C-4BC4-90C5-4E2A33 false Avira URL Cloud: safe unknown s=%d&rand=%dhttp://127.0.0.1:1886/startpageapi/notification F3FD57_09172019125624423.exe ?ac=enable crl.certum.pl/ca.crl0 AF133EF1-8B1C-4BC4-90C5-4E2A33 false high F3FD57_09172019125624423.exe

Contacted IPs

No contacted IP infos

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.5055325335076555 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe File size: 529248 MD5: 3e124be177b50f89106a8ac4d80512a9 SHA1: 34fb84156613413fa23e2f1d13b0db1111bc3f73 SHA256: a5bb815cc884cb784ae040de54aeca84f2d5c6eba5d56e 8693e4fd41efbfd9e6 SHA512: f46fd95c20671686bae2d87018b5d3c5b593bccca0bdc3f 851d68e32e0cada9c987494187a1d70be627ba26f18b25 66c8c2e9962554473f53ebf23831ad65de0 SSDEEP: 6144:J1289dsfSqVBqfyLoJtleYoXjjbJEjWg12TdZNb3Vd rVvrtcqATQTQAOmwNDBBvI:fP9dQn7kJtgfjjlEnTQ0UA BBveTiC File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... %..Na... a...a.....,.d...../.X.....9...... >."...a...d...F...x.....0.:...... `.....+. `...Richa...... PE..L..

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x40f64a Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE Time Stamp: 0x5162C4F3 [Mon Apr 8 13:24:03 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: f79ac5f21170d2a7c2b023720bf0bfd4

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 1/5/2012 4:00:00 PM 2/7/2014 3:59:59 PM Subject Chain CN=Genieo Innovation LTD, O=Genieo Innovation LTD, L=Herzliah, S=Israel, C=IL Version: 3 Thumbprint MD5: BB121473E3277DBBEC0E04BDF2BF78D7

Copyright Joe Security LLC 2020 Page 12 of 16 Thumbprint SHA-1: 7A23DBA21278245291296B3E6C837E244B2F308C Thumbprint SHA-256: 076ACE776FD445FAF372022A6F4CA8D5779DEF55AFBE23199A74127B9E99FD1C Serial: 3FC43777FA374B717C09D098544C20F1

Entrypoint Preview

Instruction call 00007F30C8378770h jmp 00007F30C836A9AEh mov edi, edi push ebp mov ebp, esp sub esp, 10h push dword ptr [ebp+0Ch] lea ecx, dword ptr [ebp-10h] call 00007F30C8367087h movzx eax, byte ptr [ebp+08h] mov ecx, dword ptr [ebp-10h] mov ecx, dword ptr [ecx+000000C8h] movzx eax, word ptr [ecx+eax*2] and eax, 00008000h cmp byte ptr [ebp-04h], 00000000h je 00007F30C836AB39h mov ecx, dword ptr [ebp-08h] and dword ptr [ecx+70h], FFFFFFFDh leave ret mov edi, edi push ebp mov ebp, esp push 00000000h push dword ptr [ebp+08h] call 00007F30C836AAEEh pop ecx pop ecx pop ebp ret mov edi, edi push ebp mov ebp, esp sub esp, 10h push ebx xor ebx, ebx push esi push edi cmp dword ptr [ebp+10h], ebx je 00007F30C836AC0Bh push dword ptr [ebp+14h] lea ecx, dword ptr [ebp-10h] call 00007F30C836702Eh cmp dword ptr [ebp+08h], ebx jne 00007F30C836AB60h call 00007F30C836A2D8h push ebx push ebx push ebx push ebx push ebx mov dword ptr [eax], 00000016h call 00007F30C83673DCh add esp, 14h cmp byte ptr [ebp-04h], bl je 00007F30C836AB39h mov eax, dword ptr [ebp-08h] and dword ptr [eax+70h], FFFFFFFDh

Copyright Joe Security LLC 2020 Page 13 of 16 Instruction mov eax, 7FFFFFFFh jmp 00007F30C836ABCEh mov edi, dword ptr [ebp+0Ch] cmp edi, ebx je 00007F30C836AAFDh mov esi, 7FFFFFFFh cmp dword ptr [ebp+10h], esi jbe 00007F30C836AB5Ah call 00007F30C836A299h push ebx push ebx push ebx push ebx push ebx mov dword ptr [eax], 00000016h

Rich Headers

Programming Language: [ C ] VS2008 build 21022 [LNK] VS2008 build 21022 [ASM] VS2008 build 21022 [IMP] VS2005 build 50727 [RES] VS2008 build 21022 [C++] VS2008 build 21022

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7a48c 0xf0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x84000 0x314 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x80200 0x1160 .data IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x5b430 0x1c .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x771f0 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x5b000 0x388 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x59c63 0x59e00 False 0.463550721488 data 6.45619552974 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x5b000 0x2077a 0x20800 False 0.403605769231 data 5.60604573735 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x7c000 0x76d8 0x5400 False 0.294131324405 data 5.06309207923 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x84000 0x314 0x400 False 0.39453125 data 4.66231444685 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_MENU 0x840a0 0x118 data Hebrew Israel RT_MANIFEST 0x841b8 0x15a ASCII text, with CRLF line terminators English United States

Imports

DLL Import WS2_32.dll shutdown, inet_addr, htons, socket, connect, send, closesocket, WSAStartup, WSACleanup, recv, setsockopt

Copyright Joe Security LLC 2020 Page 14 of 16 DLL Import urlmon.dll URLDownloadToFileW PSAPI.DLL EnumProcesses, GetModuleBaseNameW, EnumProcessModules WININET.dll HttpSendRequestW, InternetCloseHandle, HttpOpenRequestW, HttpQueryInfoW, InternetSetOptionW, InternetCrackUrlW, InternetConnectW, InternetReadFile, InternetQueryDataAvailable, InternetOpenW KERNEL32.dll LeaveCriticalSection, CreateFileW, FlushFileBuffers, EnterCriticalSection, GetLocalTime, DeleteCriticalSection, GetExitCodeThread, CreateEventW, VirtualQuery, FreeLibrary, SetEvent, GetTickCount, ReadProcessMemory, GetProcAddress, OpenEventW, HeapAlloc, HeapFree, GetProcessHeap, DeleteFileW, SetLastError, WideCharToMultiByte, ReadFile, GetStartupInfoA, CopyFileW, WriteFile, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetModuleFileNameA, GetStdHandle, VirtualAlloc, VirtualFree, HeapCreate, HeapSize, InterlockedDecrement, GetCurrentThreadId, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, RaiseException, GetStartupInfoW, HeapReAlloc, RtlUnwind, GetSystemTimeAsFileTime, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetFileType, InitializeCriticalSection, SetFilePointer, GetFileSize, TerminateThread, lstrcpynW, CreateThread, GetTempFileNameW, GetTempPathW, ExitProcess, GetModuleHandleW, CloseHandle, TerminateProcess, GetExitCodeProcess, OpenProcess, GetLastError, MultiByteToWideChar, lstrlenA, Sleep, GetCommandLineW, CreateDirectoryW, ReleaseSemaphore, WaitForSingleObject, CreateSemaphoreW, GetConsoleCP, GetConsoleMode, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, SetHandleCount USER32.dll IsWindowVisible, GetLastInputInfo, wsprintfW, FindWindowW, GetDoubleClickTime, DestroyMenu, PostQuitMessage, PostMessageW, TrackPopupMenu, SetForegroundWindow, CheckMenuItem, ModifyMenuW, GetCursorPos, GetSubMenu, LoadMenuW, RegisterWindowMessageW, KillTimer, FillRect, InvalidateRect, SetTimer, DefWindowProcW, SetCursor, EndPaint, BeginPaint, ShowWindowAsync, ShowWindow, PtInRect, RegisterClassW, LoadImageW, SetWindowPos, SetWindowLongW, GetWindowLongW, CreateWindowExW, LoadCursorW, DestroyWindow, GetWindowRect, GetClassNameW, DispatchMessageW, TranslateMessage, GetMessageW, SendMessageW GDI32.dll CreateCompatibleDC, CreateRectRgnIndirect, SaveDC, SetStretchBltMode, GetClipBox, ExtSelectClipRgn, RestoreDC, TextOutW, SetTextAlign, SetTextColor, SetBkMode, SelectObject, SetPixel, DeleteObject, CreateBrushIndirect, GetStockObject, CreateDIBSection, DeleteDC, SetDIBitsToDevice, BitBlt, CreateFontW ADVAPI32.dll RegQueryValueExW, RegCreateKeyExW, RegCloseKey, RegEnumValueA, RegQueryInfoKeyA, RegOpenKeyExW, RegEnumValueW, CryptHashData, CryptDestroyHash, CryptCreateHash, CryptReleaseContext, CryptAcquireContextW, CryptGetHashParam, RegNotifyChangeKeyValue SHELL32.dll Shell_NotifyIconA, Shell_NotifyIconW, ShellExecuteW, CommandLineToArgvW, SHAppBarMessage, ShellExecuteExW, ShellExecuteA ole32.dll CoUninitialize, CoCreateGuid, CoInitialize, StringFromGUID2, CoInitializeEx SHLWAPI.dll StrTrimA, SHRegGetUSValueA, SHSetValueW, SHGetValueW, SHRegGetUSValueW

Possible Origin

Language of compilation system Country where language is spoken Map

Hebrew Israel

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Copyright Joe Security LLC 2020 Page 15 of 16 Analysis Process: AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe PID: 3848 Parent PID: 3964

General

Start time: 14:36:51 Start date: 08/01/2020 Path: C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5- 4E2A33F3FD57_09172019125624423.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\AF133EF1-8B1C-4BC4-90C5-4E2A33F3FD57_0917201912 5624423.exe' Imagebase: 0x400000 File size: 529248 bytes MD5 hash: 3E124BE177B50F89106A8AC4D80512A9 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Disassembly

Code Analysis