ID: 227143 Sample Name: m954tovB7J Cookbook: default.jbs Time: 23:36:20 Date: 03/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report m954tovB7J 5 Overview 5 General Information 5 Detection 5 Confidence 5 Classification Spiderchart 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Remote Access Functionality: 9 Malware Configuration 9 Behavior Graph 9 Simulations 10 Behavior and APIs 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 11 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 13 Sigma Overview 14 Joe Sandbox View / Context 14 IPs 14 Domains 14 ASN 14 JA3 Fingerprints 15 Dropped Files 15 Screenshots 15 Thumbnails 15 Startup 16 Created / dropped Files 16 Domains and IPs 16 Contacted Domains 16 URLs from Memory and Binaries 16 Contacted IPs 16 Public 17 Static File Info 17 General 17 File Icon 17
Copyright Joe Security LLC 2020 Page 2 of 32 Static PE Info 18 General 18 Entrypoint Preview 18 Data Directories 19 Sections 19 Resources 20 Imports 22 Possible Origin 23 Network Behavior 23 TCP Packets 23 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 24 Analysis Process: m954tovB7J.exe PID: 5424 Parent PID: 5372 24 General 24 File Activities 25 File Created 25 File Read 25 Registry Activities 25 Key Value Created 25 Analysis Process: cmd.exe PID: 5460 Parent PID: 5424 25 General 25 File Activities 26 Analysis Process: conhost.exe PID: 5488 Parent PID: 5460 26 General 26 Analysis Process: systeminfo.exe PID: 4312 Parent PID: 5460 26 General 26 File Activities 26 Registry Activities 26 Analysis Process: tasklist.exe PID: 2336 Parent PID: 5460 26 General 26 File Activities 27 Analysis Process: cmd.exe PID: 6104 Parent PID: 5424 27 General 27 File Activities 27 Analysis Process: conhost.exe PID: 3704 Parent PID: 6104 27 General 27 Analysis Process: systeminfo.exe PID: 5824 Parent PID: 6104 27 General 27 File Activities 28 Analysis Process: tasklist.exe PID: 5252 Parent PID: 6104 28 General 28 File Activities 28 Analysis Process: cmd.exe PID: 4736 Parent PID: 5424 28 General 28 File Activities 28 Analysis Process: conhost.exe PID: 3008 Parent PID: 4736 28 General 28 Analysis Process: systeminfo.exe PID: 920 Parent PID: 4736 29 General 29 File Activities 29 Analysis Process: tasklist.exe PID: 3020 Parent PID: 4736 29 General 29 File Activities 29 Analysis Process: cmd.exe PID: 2976 Parent PID: 5424 29 General 29 File Activities 30 Analysis Process: conhost.exe PID: 184 Parent PID: 2976 30 General 30 Analysis Process: systeminfo.exe PID: 5292 Parent PID: 2976 30 General 30 File Activities 30 Analysis Process: tasklist.exe PID: 3976 Parent PID: 2976 30 General 30 File Activities 31 Analysis Process: cmd.exe PID: 4120 Parent PID: 5424 31 General 31 File Activities 31 Copyright Joe Security LLC 2020 Page 3 of 32 Analysis Process: conhost.exe PID: 5388 Parent PID: 4120 31 General 31 Analysis Process: systeminfo.exe PID: 5880 Parent PID: 4120 31 General 31 File Activities 32 Analysis Process: tasklist.exe PID: 5548 Parent PID: 4120 32 General 32 File Activities 32 Disassembly 32 Code Analysis 32
Copyright Joe Security LLC 2020 Page 4 of 32 Analysis Report m954tovB7J
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 227143 Start date: 03.05.2020 Start time: 23:36:20 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 54s Hypervisor based Inspection enabled: false Report type: light Sample file name: m954tovB7J (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal76.evad.winEXE@36/0@0/1 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 3.9% (good quality ratio 3.9%) Quality average: 80.4% Quality standard deviation: 17.8% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): WMIADAP.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 76 0 - 100 false
Confidence
Copyright Joe Security LLC 2020 Page 5 of 32 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification Spiderchart
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2020 Page 6 of 32 Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Mitre Att&ck Matrix
Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Application Process Masquerading 1 Input System Time Application Screen Data Standard Accounts Instrumentation 3 2 1 Shimming 1 Injection 1 2 Capture 1 1 Discovery 2 Deployment Capture 1 Encrypted 1 Cryptographic Software Protocol 1
Replication Command-Line Registry Run Application Virtualization/Sandbox Network Virtualization/Sandbox Remote Input Exfiltration Commonly Through Interface 2 Keys / Shimming 1 Evasion 1 3 Sniffing Evasion 1 3 Services Capture 1 1 Over Other Used Port Removable Startup Network Media Folder 1 Medium External Execution through Accessibility Path Process Input Capture Process Discovery 2 Windows Data from Automated Custom Remote API 1 Features Interception Injection 1 2 Remote Network Exfiltration Cryptographic Services Management Shared Drive Protocol
Drive-by Graphical User System DLL Search Deobfuscate/Decode Credentials in Application Window Logon Input Capture Data Multiband Compromise Interface 1 Firmware Order Files or Information 1 Files Discovery 1 1 Scripts Encrypted Communication Hijacking Exploit Public- Command-Line Interface Shortcut File System Obfuscated Files or Account Security Software Shared Data Staged Scheduled Standard Facing Modification Permissions Information 2 Manipulation Discovery 1 3 1 Webroot Transfer Cryptographic Application Weakness Protocol
Spearphishing Graphical User Interface Modify New Service DLL Search Order Brute Force File and Directory Third-party Screen Data Commonly Link Existing Hijacking Discovery 1 Software Capture Transfer Used Port Service Size Limits Spearphishing Scripting Path Scheduled Software Packing Two-Factor System Information Pass the Email Exfiltration Uncommonly Attachment Interception Task Authentication Discovery 1 3 6 Hash Collection Over Used Port Interception Command and Control Channel
Signature Overview
• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality
Click to jump to signature section
AV Detection:
Antivirus detection for sample
Multi AV Scanner detection for submitted file
Spreading:
Copyright Joe Security LLC 2020 Page 7 of 32 Contains functionality to enumerate / list files inside a directory
Networking:
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Connects to IPs without corresponding DNS lookups
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
System Summary:
Submitted sample is a known malware sample
Writes or reads registry keys via WMI
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains strange resources
Sample file is different than original file name gathered from version info
Yara signature match
Classification label
Contains functionality for error logging
Contains functionality to check free disk space
Contains functionality to instantiate COM classes
Contains functionality to load and extract PE file embedded resources
Creates mutexes
Creates temporary files
Parts of this applications are using Borland Delphi (Probably coded in Delphi)
Queries process information (via WMI, Win32_Process)
Reads software policies
Sample is known by Antivirus
Sample might require command line arguments
Spawns processes
Uses an in-process (OLE) Automation server
Uses systeminfo.exe to query system information
Uses tasklist.exe to query information about running processes
Found graphical window changes (likely an installer)
PE file has a big code size
Submission file is bigger than most known malware samples
PE file has a big raw section
Data Obfuscation:
Contains functionality to dynamically determine API calls
Uses code obfuscation techniques (call, push, ret)
Boot Survival:
Creates an autostart registry key
Hooking and other Techniques for Hiding and Protection:
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Copyright Joe Security LLC 2020 Page 8 of 32 Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Extensive use of GetProcAddress (often used to hide API calls)
Malware Analysis System Evasion:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to detect sandboxes (mouse cursor move detection)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate / list files inside a directory
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Anti Debugging:
Contains functionality to dynamically determine API calls
Enables debug privileges
HIPS / PFW / Operating System Protection Evasion:
Creates a process in suspended mode (likely to inject code)
May try to detect the Windows Explorer process (often used for injection)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Queries the volume information (name, serial number etc) of a device
Contains functionality to query local / system time
Contains functionality to query time zone information
Contains functionality to query windows version
Remote Access Functionality:
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2020 Page 9 of 32 Hide Legend Legend: Process Signature Created File
Behavior Graph DNS/IP Info
ID: 227143
Sample: m954tovB7J Is Dropped Startdate: 03/05/2020 Architecture: WINDOWS Is Windows Process Score: 76 Number of created Registry Values
Icon mismatch, binary Antivirus detection includes an icon from Multi AV Scanner detection Submitted sample is started Number of created Files for sample a different legit application for submitted file a known malware sample in order to fool users Visual Basic
m954tovB7J.exe Delphi
1 1 Java .Net C# or VB.NET
86.106.131.177, 80 unknown started started started C, C++ or other language Belize Is malicious
cmd.exe cmd.exe cmd.exe Internet
2 other processes
1 1 1
started started started started started
systeminfo.exe systeminfo.exe systeminfo.exe systeminfo.exe systeminfo.exe
2 other processes 2 other processes 2 other processes 4 other processes
1 1 1 1 1 1
Queries sensitive network Queries sensitive BIOS adapter information Information (via WMI, Writes or reads registry (via WMI, Win32_NetworkAdapter, Win32_Bios & Win32_BaseBoard, keys via WMI often done to detect often done to detect virtual machines) virtual machines)
Simulations
Behavior and APIs
Time Type Description 23:36:51 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce AdobeDailyUpdate C:\Users\user\AppData\L ocal\Temp\csrsvc.exe 23:37:00 Autostart Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce AdobeDailyUpdate C:\Users\user\AppData \Local\Temp\csrsvc.exe 23:37:14 API Interceptor 4x Sleep call for process: m954tovB7J.exe modified
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link m954tovB7J.exe 72% Virustotal Browse m954tovB7J.exe 77% ReversingLabs Win32.Trojan.Zebrocy m954tovB7J.exe 100% Avira HEUR/AGEN.1014011
Dropped Files
No Antivirus matches
Unpacked PE Files
Source Detection Scanner Label Link Download
Copyright Joe Security LLC 2020 Page 10 of 32 Source Detection Scanner Label Link Download 0.0.m954tovB7J.exe.400000.0.unpack 100% Avira HEUR/AGEN.1014011 Download File 0.2.m954tovB7J.exe.400000.0.unpack 100% Avira HEUR/AGEN.1014011 Download File
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php?fort=AC31F8F520 0% Avira URL Cloud safe 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php?fort=AC31F8F5t 0% Avira URL Cloud safe 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php?fort=AC31F8F5 0% Avira URL Cloud safe 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php 5% Virustotal Browse 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php 0% Avira URL Cloud safe 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.phpbsDialog 0% Avira URL Cloud safe 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php?fort=AC31F8F5%2 0% Avira URL Cloud safe
Yara Overview
Initial Sample
Source Rule Description Author Strings m954tovB7J.exe MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x147d2a:$s3: ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x147d08:$s4: 41646F62654461696C79557064617465 0x11694c:$s5: 53595354454D494E464F2026205441534B4C495354 0x117310:$s6: 6373727376632E657865 0x147ca4:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
Source Rule Description Author Strings 00000000.00000002.1189289885.00000000001 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x3cc0:$s3: 9B000.00000004.00000001.sdmp ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 00000000.00000002.1190571044.00000000023 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0xf1a:$s3: E7000.00000004.00000001.sdmp ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xef8:$s4: 41646F62654461696C79557064617465 0xe94:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E 00000000.00000002.1189711400.00000000005 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x2912a:$s3: 2A000.00000002.00020000.sdmp ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x29108:$s4: 41646F62654461696C79557064617465 0x290a4:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E
Copyright Joe Security LLC 2020 Page 11 of 32 Source Rule Description Author Strings 00000000.00000000.765969959.000000000040 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x11654c:$s5: 1000.00000020.00020000.sdmp ader_Apr18_2 from Sednit Delphi 53595354454D494E464F2026205441534B4C495354 Downloader report 0x116f10:$s6: 6373727376632E657865 00000000.00000000.766353212.000000000052 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x2912a:$s3: A000.00000002.00020000.sdmp ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x29108:$s4: 41646F62654461696C79557064617465 0x290a4:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E 00000000.00000002.1190412243.00000000023 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x5208:$s3: 5D000.00000004.00000001.sdmp ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x5e38:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x6a68:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 00000000.00000002.1189355482.00000000004 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x11654c:$s5: 01000.00000020.00020000.sdmp ader_Apr18_2 from Sednit Delphi 53595354454D494E464F2026205441534B4C495354 Downloader report 0x116f10:$s6: 6373727376632E657865
Copyright Joe Security LLC 2020 Page 12 of 32 Source Rule Description Author Strings Process Memory Space: m954tovB7J.exe PID: 5424 MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x5d22c:$s3: ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x5d2c6:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xac61b:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xad243:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xade84:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xaeaad:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xaf6f5:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0xaf807:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x247f83:$s3: 4D6F7A696C6C612076352E312028576 96E646F7773204E5420362E313B2072763A362E302E 3129204765636B6F2F323031303031303120466972656 66F782F36 0x2a0406:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x3803e6:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x3804fe:$s3: 4D6F7A696C6C612076352E312028576 96E646F7773204E5420362E313B2072763A362E302E 3129204765636B6F2F323031303031303120466972656 66F782F36 0x3812b2:$s3: 4D6F7A696C6C612076352E31202857696E646F77732 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x247f56:$s4: 41646F62654461696C79557064617465 0x2a03d9:$s4: 41646F62654461696C79557064617465 0x3804de:$s4: 41646F62654461696C79557064617465 0x10a53:$s5: 53595354454D494E464F2026205441534B4C495354 0x246f56:$s5: 53595354454D494E464F2026205441534B4C495354 0x246f8e:$s5: 53595354454D494E464F2026205441534B4C495354 0x12fcc:$s6: 6373727376632E657865 0x2471a2:$s6: 6373727376632E657865
Unpacked PEs
Source Rule Description Author Strings 0.0.m954tovB7J.exe.400000.0.unpack MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x147d2a:$s3: ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x147d08:$s4: 41646F62654461696C79557064617465 0x11694c:$s5: 53595354454D494E464F2026205441534B4C495354 0x117310:$s6: 6373727376632E657865 0x147ca4:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E
Copyright Joe Security LLC 2020 Page 13 of 32 Source Rule Description Author Strings 0.2.m954tovB7J.exe.400000.0.unpack MAL_Sednit_DelphiDownlo Detects malware Florian Roth 0x147d2a:$s3: ader_Apr18_2 from Sednit Delphi 4D6F7A696C6C612076352E31202857696E646F77732 Downloader report 04E5420362E313B2072763A362E302E3129204765636 B6F2F32303130303130312046697265666F782F36 0x147d08:$s4: 41646F62654461696C79557064617465 0x11694c:$s5: 53595354454D494E464F2026205441534B4C495354 0x117310:$s6: 6373727376632E657865 0x147ca4:$s7: 536F6674776172655C4D6963726F736F66745C57696E 646F77735C43757272656E7456657273696F6E5C5275 6E
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context unknown salt-store Get hash malicious Browse 144.217.12 9.111 6cir6FeEdr.dll Get hash malicious Browse 151.101.2.49 www.searchvity.com/? Get hash malicious Browse 208.91.196.46 fp=a+m9TptIKZ01J9BoA3rwcFg1vxm7q58aTBW5f+IXwUcXIN PDAWqXFFUMXr7sPi/+5qRGszdwpZFDGIdD7q0/D0karrZL+ ZFVpQTUefdDFsmvxzGykZ+a0pyd1VdRbpkblsCaW7UNT5gz waWuXvr3GSl64u98b7REhMOktVKHdZM=&prvtof=ZZ2BWw/ SzqaqyQP782p/LZTxN5Pzn9mnGc0HLjbzzARYYOqmPLxI1R 94y7hBh7vYzfPtKVfve5sTmJieBrIjf6g9c8ydx4eqn7u+ahLsmm k=&poru=xjGVNmA2fk5ThmHEVOPRCiD7heiepCRyi7UBWA C4mdqRUVvpebIHfpS3MYrnSNP4oaUQ2cxkeBbynkkNuM6fP w==& www.searchvity.com/favicon.ico Get hash malicious Browse 208.91.196.46 www.searchvity.com/px.js?ch=1 Get hash malicious Browse 208.91.196.46 kwarantanna-info.24lite.eu/ Get hash malicious Browse 67.202.94.93 66.240.205.34 Get hash malicious Browse 66.240.205.34 ZeroAccess_xxx-porn-movie.avi.exe Get hash malicious Browse 79.115.74.58 G0dPAdSW4O.docm Get hash malicious Browse 52.114.132.73 103.253.42.35 Get hash malicious Browse 103.253.42.35 LISTA DE PRECIOS02.exe Get hash malicious Browse 172.245.15 3.118 dumped.dll Get hash malicious Browse 87.248.118.22 https://1drv.ms/b/s!Ai_hpsKZgnTYal_SKtJZNCJJJME? Get hash malicious Browse 172.217.168.66 e=oIvdsg sa.sh Get hash malicious Browse 144.217.12 9.111 www.forestofwordsandpages.com Get hash malicious Browse 18.196.78.38 VN_02_5_2020.html Get hash malicious Browse 35.214.239.174 eutq1r0c.gqz.exe Get hash malicious Browse 202.148.6.120 com.ambankmobilelite_3.2.0.apk Get hash malicious Browse 173.194.69.188 dlr.mpsl Get hash malicious Browse 91.189.92.38
Copyright Joe Security LLC 2020 Page 14 of 32 Match Associated Sample Name / URL SHA 256 Detection Link Context FATURA34109093137173917200003123.msi Get hash malicious Browse 108.177.11 9.137
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2020 Page 15 of 32 Startup
System is w10x64 m954tovB7J.exe (PID: 5424 cmdline: 'C:\Users\user\Desktop\m954tovB7J.exe' MD5: 18AFD364D287DFB20921E2C76D4E2C41) cmd.exe (PID: 5460 cmdline: cmd.exe /c SYSTEMINFO & TASKLIST MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) systeminfo.exe (PID: 4312 cmdline: SYSTEMINFO MD5: 4B3438B4516FA9CA1E49B2ABA634472C) tasklist.exe (PID: 2336 cmdline: TASKLIST MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) cmd.exe (PID: 6104 cmdline: cmd.exe /c SYSTEMINFO & TASKLIST MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) systeminfo.exe (PID: 5824 cmdline: SYSTEMINFO MD5: 4B3438B4516FA9CA1E49B2ABA634472C) tasklist.exe (PID: 5252 cmdline: TASKLIST MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) cmd.exe (PID: 4736 cmdline: cmd.exe /c SYSTEMINFO & TASKLIST MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) systeminfo.exe (PID: 920 cmdline: SYSTEMINFO MD5: 4B3438B4516FA9CA1E49B2ABA634472C) tasklist.exe (PID: 3020 cmdline: TASKLIST MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) cmd.exe (PID: 2976 cmdline: cmd.exe /c SYSTEMINFO & TASKLIST MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) systeminfo.exe (PID: 5292 cmdline: SYSTEMINFO MD5: 4B3438B4516FA9CA1E49B2ABA634472C) tasklist.exe (PID: 3976 cmdline: TASKLIST MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) cmd.exe (PID: 4120 cmdline: cmd.exe /c SYSTEMINFO & TASKLIST MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) systeminfo.exe (PID: 5880 cmdline: SYSTEMINFO MD5: 4B3438B4516FA9CA1E49B2ABA634472C) tasklist.exe (PID: 5548 cmdline: TASKLIST MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) cleanup
Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation m954tovB7J.exe, 00000000.00000 false Avira URL Cloud: safe unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php? 002.1190412243.000000000235D00 fort=AC31F8F520 0.00000004.00000001.sdmp m954tovB7J.exe, 00000000.00000 false Avira URL Cloud: safe unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php? 002.1190412243.000000000235D00 fort=AC31F8F5t 0.00000004.00000001.sdmp m954tovB7J.exe, 00000000.00000 false Avira URL Cloud: safe unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php? 002.1190412243.000000000235D00 fort=AC31F8F5 0.00000004.00000001.sdmp m954tovB7J.exe, 00000000.00000 false 5%, Virustotal, Browse unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php 002.1190571044.00000000023E700 Avira URL Cloud: safe 0.00000004.00000001.sdmp m954tovB7J.exe, 00000000.00000 false Avira URL Cloud: safe unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.phpbsDi 002.1190571044.00000000023E700 alog 0.00000004.00000001.sdmp m954tovB7J.exe, 00000000.00000 false Avira URL Cloud: safe unknown 86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php? 002.1190412243.000000000235D00 fort=AC31F8F5%2 0.00000004.00000001.sdmp
Contacted IPs
Copyright Joe Security LLC 2020 Page 16 of 32 No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 86.106.131.177 Belize 47447 unknown false
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.598677112005157 TrID: Win32 Executable (generic) a (10002005/4) 92.97% Win32 Executable Borland Delphi 7 (665061/41) 6.18% InstallShield setup (43055/19) 0.40% Win32 EXE PECompact compressed (generic) (41571/9) 0.39% Win16/32 Executable Delphi generic (2074/23) 0.02% File name: m954tovB7J.exe File size: 1347072 MD5: 18afd364d287dfb20921e2c76d4e2c41 SHA1: 00b39f2deaf1f1fc29e5acb63f4d1100e04fd701 SHA256: 53aef1e8b281a00dea41387a24664655986b58d61d39cfb de7e58d8c2ca3efda SHA512: 1065979ed641547cd8f8f55d18936b9e07bcd821548996d f9fbe73dccbc8b869668ff2e82e9d3e1972c51aafe3d6a8e c8d0a6c257740ac43a17a928d2d92f759 SSDEEP: 24576:l3p3s0esMyEmMi+B0LWmQA7Lyao6GJbtNlgOa SJEDZb0LbmnQnHAsAr:4Xsby/xNl9Cb0LRngsS File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......
File Icon
Copyright Joe Security LLC 2020 Page 17 of 32 Icon Hash: 74ecccc2caccdc26
Static PE Info
General Entrypoint: 0x51a0f8 Entrypoint Section: .itext Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI DLL Characteristics: Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 26dfecd80db0af1e5f1ca820f0ea2fcf
Entrypoint Preview
Instruction push ebp mov ebp, esp add esp, FFFFFFF0h push ebx mov eax, 00518238h call 00007F0100844288h mov ebx, dword ptr [0051EFFCh] mov eax, dword ptr [ebx] call 00007F01008AC0DFh mov eax, dword ptr [ebx] xor edx, edx call 00007F01008ABB56h mov ecx, dword ptr [0051F23Ch] mov eax, dword ptr [ebx] mov edx, dword ptr [005169E4h] call 00007F01008AC0DBh mov eax, dword ptr [ebx] mov byte ptr [eax+5Bh], 00000000h push 00000000h mov eax, dword ptr [ebx] mov eax, dword ptr [eax+30h] push eax call 00007F0100844FA0h mov eax, dword ptr [ebx] call 00007F01008AC141h pop ebx call 00007F010084176Bh mov eax, eax add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al Copyright Joe Security LLC 2020 Page 18 of 32 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x125000 0x327a .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x141000 0x13200 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x12b000 0x1515c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x12a000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x125954 0x7d8 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections Copyright Joe Security LLC 2020 Page 19 of 32 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x117918 0x117a00 False 0.490751250279 data 6.53708549663 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .itext 0x119000 0x1154 0x1200 False 0.582899305556 data 6.33056667712 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x11b000 0x4358 0x4400 False 0.426872702206 data 4.68772892709 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .bss 0x120000 0x4c64 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0x125000 0x327a 0x3400 False 0.306941105769 data 4.95253624329 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0x129000 0x48 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0x12a000 0x18 0x200 False 0.052734375 data 0.210826267787 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x12b000 0x1515c 0x15200 False 0.496856508876 data 6.61710977528 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ .rsrc 0x141000 0x13200 0x13200 False 0.288143382353 data 4.76209806726 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_CURSOR 0x142d6c 0x134 data English United States RT_CURSOR 0x142ea0 0x134 data English United States RT_CURSOR 0x142fd4 0x134 data English United States RT_CURSOR 0x143108 0x134 data English United States RT_CURSOR 0x14323c 0x134 data English United States RT_CURSOR 0x143370 0x134 data English United States RT_CURSOR 0x1434a4 0x134 data English United States RT_BITMAP 0x1435d8 0x1d0 data English United States RT_BITMAP 0x1437a8 0x1e4 data English United States RT_BITMAP 0x14398c 0x1d0 data English United States RT_BITMAP 0x143b5c 0x1d0 data English United States RT_BITMAP 0x143d2c 0x1d0 data English United States RT_BITMAP 0x143efc 0x1d0 data English United States RT_BITMAP 0x1440cc 0x1d0 data English United States RT_BITMAP 0x14429c 0x1d0 data English United States RT_BITMAP 0x14446c 0x1d0 data English United States RT_BITMAP 0x14463c 0x1d0 data English United States RT_BITMAP 0x14480c 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x1448cc 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x1449ac 0x128 data English United States RT_BITMAP 0x144ad4 0x128 data English United States RT_BITMAP 0x144bfc 0x128 data English United States RT_BITMAP 0x144d24 0xe8 data English United States RT_BITMAP 0x144e0c 0x128 data English United States RT_BITMAP 0x144f34 0x128 data English United States RT_BITMAP 0x14505c 0xd0 data English United States RT_BITMAP 0x14512c 0x128 data English United States RT_BITMAP 0x145254 0x128 data English United States RT_BITMAP 0x14537c 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x14545c 0x5c data English United States RT_BITMAP 0x1454b8 0x5c data English United States RT_BITMAP 0x145514 0x5c data English United States RT_BITMAP 0x145570 0x5c data English United States RT_BITMAP 0x1455cc 0x5c data English United States RT_BITMAP 0x145628 0x138 data English United States RT_BITMAP 0x145760 0x138 data English United States RT_BITMAP 0x145898 0x138 data English United States RT_BITMAP 0x1459d0 0x138 data English United States RT_BITMAP 0x145b08 0x138 data English United States RT_BITMAP 0x145c40 0x138 data English United States RT_BITMAP 0x145d78 0x104 data English United States Copyright Joe Security LLC 2020 Page 20 of 32 Name RVA Size Type Language Country RT_BITMAP 0x145e7c 0x138 data English United States RT_BITMAP 0x145fb4 0x104 data English United States RT_BITMAP 0x1460b8 0x138 data English United States RT_BITMAP 0x1461f0 0x128 data English United States RT_BITMAP 0x146318 0x128 data English United States RT_BITMAP 0x146440 0x128 data English United States RT_BITMAP 0x146568 0xe8 data English United States RT_BITMAP 0x146650 0x128 data English United States RT_BITMAP 0x146778 0x128 data English United States RT_BITMAP 0x1468a0 0xd0 data English United States RT_BITMAP 0x146970 0x128 data English United States RT_BITMAP 0x146a98 0x128 data English United States RT_BITMAP 0x146bc0 0x128 data English United States RT_BITMAP 0x146ce8 0x128 data English United States RT_BITMAP 0x146e10 0x128 data English United States RT_BITMAP 0x146f38 0xe8 data English United States RT_BITMAP 0x147020 0x128 data English United States RT_BITMAP 0x147148 0x128 data English United States RT_BITMAP 0x147270 0xd0 data English United States RT_BITMAP 0x147340 0x128 data English United States RT_BITMAP 0x147468 0x128 data English United States RT_BITMAP 0x147590 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147670 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147730 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x1477f0 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x1478d0 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147990 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147a70 0xe8 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147b58 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x147c18 0xe0 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x147cf8 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x148160 0x988 data English United States RT_ICON 0x148ae8 0x10a8 dBase IV DBT of @.DBF, block length 4096, next English United States free block index 40, next free block 150994944, next used block 50331648 RT_ICON 0x149b90 0x25a8 dBase IV DBT of `.DBF, block length 9216, next English United States free block index 40, next free block 0, next used block 0 RT_DIALOG 0x14c138 0x52 data RT_DIALOG 0x14c18c 0x52 data RT_STRING 0x14c1e0 0x1fc data RT_STRING 0x14c3dc 0x2fc data RT_STRING 0x14c6d8 0x4f4 data RT_STRING 0x14cbcc 0x3e0 data RT_STRING 0x14cfac 0x57c data RT_STRING 0x14d528 0x41c data RT_STRING 0x14d944 0x3f4 data RT_STRING 0x14dd38 0x48c data RT_STRING 0x14e1c4 0x2d8 data RT_STRING 0x14e49c 0x33c data RT_STRING 0x14e7d8 0x478 data RT_STRING 0x14ec50 0x380 data RT_STRING 0x14efd0 0x3a4 data RT_STRING 0x14f374 0x28c data RT_STRING 0x14f600 0x300 data RT_STRING 0x14f900 0x3d0 data RT_STRING 0x14fcd0 0x9c data RT_STRING 0x14fd6c 0x100 data RT_STRING 0x14fe6c 0x230 data RT_STRING 0x15009c 0x400 data RT_STRING 0x15049c 0x354 data RT_STRING 0x1507f0 0x390 data RT_STRING 0x150b80 0x38c data RT_STRING 0x150f0c 0x240 data RT_STRING 0x15114c 0xcc data
Copyright Joe Security LLC 2020 Page 21 of 32 Name RVA Size Type Language Country RT_STRING 0x151218 0x1bc data RT_STRING 0x1513d4 0x3cc data RT_STRING 0x1517a0 0x3d4 data RT_STRING 0x151b74 0x2ec data RT_STRING 0x151e60 0x308 data RT_RCDATA 0x152168 0x10 data RT_RCDATA 0x152178 0xb64 data RT_RCDATA 0x152cdc 0x2 data English United States RT_RCDATA 0x152ce0 0x81f Delphi compiled form 'TForm1' RT_RCDATA 0x153500 0x494 Delphi compiled form 'TLoginDialog' RT_RCDATA 0x153994 0x3c4 Delphi compiled form 'TPasswordDialog' RT_GROUP_CURSOR 0x153d58 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153d6c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153d80 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153d94 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153da8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153dbc 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x153dd0 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0x153de4 0x3e data English United States RT_MANIFEST 0x153e24 0x2ca XML 1.0 document, ASCII text, with CRLF line English United States terminators
Imports
DLL Import oleaut32.dll SysFreeString, SysReAllocStringLen, SysAllocStringLen advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegCloseKey user32.dll GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA kernel32.dll GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle kernel32.dll TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA user32.dll CreateWindowExW, CreateWindowExA, WindowFromPoint, WaitMessage, VkKeyScanW, ValidateRect, UpdateWindow, UnregisterClassW, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowsHookExA, SetWindowTextW, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoW, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassW, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyW, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringW, GetMenuStringA, GetMenuState, GetMenuItemInfoW, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameW, GetClassNameA, GetClassLongA, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharNextW, CallWindowProcW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
Copyright Joe Security LLC 2020 Page 22 of 32 DLL Import gdi32.dll UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32W, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePen, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt version.dll VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA kernel32.dll lstrcpyA, lstrcmpA, WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameW, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageW, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateFileW, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringW, CompareStringA, CloseHandle advapi32.dll RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey oleaut32.dll GetErrorInfo, GetActiveObject, SysStringLen, SysFreeString ole32.dll OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID kernel32.dll Sleep oleaut32.dll SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit comctl32.dll _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls winspool.drv OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter winmm.dll mciSendCommandA, mciGetErrorStringA wsock32.dll WSACleanup, WSAStartup
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP May 3, 2020 23:36:53.896322966 CEST 49746 80 192.168.2.5 86.106.131.177 May 3, 2020 23:36:56.886152983 CEST 49746 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:02.890681028 CEST 49746 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:20.724020958 CEST 49750 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:23.727333069 CEST 49750 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:29.728116035 CEST 49750 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:45.593489885 CEST 49752 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:48.606157064 CEST 49752 80 192.168.2.5 86.106.131.177 May 3, 2020 23:37:54.619920969 CEST 49752 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:11.497699022 CEST 49753 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:14.512923002 CEST 49753 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:20.513174057 CEST 49753 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:36.637227058 CEST 49754 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:39.638411045 CEST 49754 80 192.168.2.5 86.106.131.177 May 3, 2020 23:38:45.639121056 CEST 49754 80 192.168.2.5 86.106.131.177 Copyright Joe Security LLC 2020 Page 23 of 32 Code Manipulations
Statistics
Behavior
• m954tovB7J.exe • cmd.exe • conhost.exe • systeminfo.exe • tasklist.exe • cmd.exe • conhost.exe • systeminfo.exe • tasklist.exe • cmd.exe • conhost.exe • systeminfo.exe • tasklist.exe • cmd.exe • conhost.exe • systeminfo.exe • tasklist.exe • cmd.exe • conhost.exe • systeminfo.exe • tasklist.exe
Click to jump to process
System Behavior
Analysis Process: m954tovB7J.exe PID: 5424 Parent PID: 5372
General
Start time: 23:36:44 Start date: 03/05/2020 Path: C:\Users\user\Desktop\m954tovB7J.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\m954tovB7J.exe' Imagebase: 0x400000 File size: 1347072 bytes MD5 hash: 18AFD364D287DFB20921E2C76D4E2C41 Has administrator privileges: false Programmed in: Borland Delphi
Copyright Joe Security LLC 2020 Page 24 of 32 Yara matches: Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.1189289885.000000000019B000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.1190571044.00000000023E7000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.1189711400.000000000052A000.00000002.00020000.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000000.765969959.0000000000401000.00000020.00020000.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000000.766353212.000000000052A000.00000002.00020000.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.1190412243.000000000235D000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.1189355482.0000000000401000.00000020.00020000.sdmp, Author: Florian Roth Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\csrsvc.exe read attributes | device synchronous io success or wait 4 403AD4 CreateFileA synchronize | non alert | non generic read | directory file generic write
File Read
Source File Path Offset Length Completion Count Address Symbol unknown unknown 255 success or wait 4535 51814B ReadFile unknown unknown 255 pipe broken 4 51814B ReadFile
Registry Activities
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic AdobeDailyUpdate unicode C:\Users\user\AppData\Local\Te success or wait 1 42ED07 RegSetValueExA rosoft\Windows\CurrentVersion\RunOnce mp\csrsvc.exe
Analysis Process: cmd.exe PID: 5460 Parent PID: 5424
General
Start time: 23:36:48 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd.exe /c SYSTEMINFO & TASKLIST Imagebase: 0x860000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high Copyright Joe Security LLC 2020 Page 25 of 32 File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 5488 Parent PID: 5460
General
Start time: 23:36:49 Start date: 03/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: systeminfo.exe PID: 4312 Parent PID: 5460
General
Start time: 23:36:49 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\systeminfo.exe Wow64 process (32bit): true Commandline: SYSTEMINFO Imagebase: 0x2d0000 File size: 77312 bytes MD5 hash: 4B3438B4516FA9CA1E49B2ABA634472C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Registry Activities
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: tasklist.exe PID: 2336 Parent PID: 5460
General
Start time: 23:36:51 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\tasklist.exe Wow64 process (32bit): true Commandline: TASKLIST Imagebase: 0x80000
Copyright Joe Security LLC 2020 Page 26 of 32 File size: 79872 bytes MD5 hash: 6B7D2FC3FB98B10A5F77B23DEF745F6F Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: cmd.exe PID: 6104 Parent PID: 5424
General
Start time: 23:37:14 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd.exe /c SYSTEMINFO & TASKLIST Imagebase: 0x860000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 3704 Parent PID: 6104
General
Start time: 23:37:14 Start date: 03/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: systeminfo.exe PID: 5824 Parent PID: 6104
General
Start time: 23:37:14 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\systeminfo.exe Wow64 process (32bit): true Commandline: SYSTEMINFO Imagebase: 0x2d0000
Copyright Joe Security LLC 2020 Page 27 of 32 File size: 77312 bytes MD5 hash: 4B3438B4516FA9CA1E49B2ABA634472C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: tasklist.exe PID: 5252 Parent PID: 6104
General
Start time: 23:37:16 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\tasklist.exe Wow64 process (32bit): true Commandline: TASKLIST Imagebase: 0x80000 File size: 79872 bytes MD5 hash: 6B7D2FC3FB98B10A5F77B23DEF745F6F Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: cmd.exe PID: 4736 Parent PID: 5424
General
Start time: 23:37:41 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd.exe /c SYSTEMINFO & TASKLIST Imagebase: 0x860000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 3008 Parent PID: 4736
General
Start time: 23:37:41 Start date: 03/05/2020 Copyright Joe Security LLC 2020 Page 28 of 32 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: systeminfo.exe PID: 920 Parent PID: 4736
General
Start time: 23:37:41 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\systeminfo.exe Wow64 process (32bit): true Commandline: SYSTEMINFO Imagebase: 0x2d0000 File size: 77312 bytes MD5 hash: 4B3438B4516FA9CA1E49B2ABA634472C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: tasklist.exe PID: 3020 Parent PID: 4736
General
Start time: 23:37:43 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\tasklist.exe Wow64 process (32bit): true Commandline: TASKLIST Imagebase: 0x80000 File size: 79872 bytes MD5 hash: 6B7D2FC3FB98B10A5F77B23DEF745F6F Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: cmd.exe PID: 2976 Parent PID: 5424
General
Start time: 23:38:06 Start date: 03/05/2020
Copyright Joe Security LLC 2020 Page 29 of 32 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd.exe /c SYSTEMINFO & TASKLIST Imagebase: 0x860000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 184 Parent PID: 2976
General
Start time: 23:38:06 Start date: 03/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: systeminfo.exe PID: 5292 Parent PID: 2976
General
Start time: 23:38:06 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\systeminfo.exe Wow64 process (32bit): true Commandline: SYSTEMINFO Imagebase: 0x2d0000 File size: 77312 bytes MD5 hash: 4B3438B4516FA9CA1E49B2ABA634472C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: tasklist.exe PID: 3976 Parent PID: 2976
General
Start time: 23:38:08 Start date: 03/05/2020
Copyright Joe Security LLC 2020 Page 30 of 32 Path: C:\Windows\SysWOW64\tasklist.exe Wow64 process (32bit): true Commandline: TASKLIST Imagebase: 0x80000 File size: 79872 bytes MD5 hash: 6B7D2FC3FB98B10A5F77B23DEF745F6F Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: cmd.exe PID: 4120 Parent PID: 5424
General
Start time: 23:38:32 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd.exe /c SYSTEMINFO & TASKLIST Imagebase: 0x860000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 5388 Parent PID: 4120
General
Start time: 23:38:32 Start date: 03/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: systeminfo.exe PID: 5880 Parent PID: 4120
General
Start time: 23:38:32 Start date: 03/05/2020
Copyright Joe Security LLC 2020 Page 31 of 32 Path: C:\Windows\SysWOW64\systeminfo.exe Wow64 process (32bit): true Commandline: SYSTEMINFO Imagebase: 0x2d0000 File size: 77312 bytes MD5 hash: 4B3438B4516FA9CA1E49B2ABA634472C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: tasklist.exe PID: 5548 Parent PID: 4120
General
Start time: 23:38:34 Start date: 03/05/2020 Path: C:\Windows\SysWOW64\tasklist.exe Wow64 process (32bit): true Commandline: TASKLIST Imagebase: 0x80000 File size: 79872 bytes MD5 hash: 6B7D2FC3FB98B10A5F77B23DEF745F6F Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2020 Page 32 of 32