ID: 439538 Sample Name: As47eCZnpZ Cookbook: default.jbs Time: 05:55:27 Date: 24/06/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report As47eCZnpZ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 5 AV Detection: 5 Networking: 5 Key, Mouse, Clipboard, Microphone and Screen Capturing: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 13 Data Directories 13 Sections 13 Resources 13 Imports 13 Version Infos 13 Possible Origin 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 14 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 14 Analysis Process: As47eCZnpZ.exe PID: 6216 Parent PID: 5912 14 General 14 File Activities 14 File Created 14 File Deleted 14 File Written 14 File Read 14 Analysis Process: cmd.exe PID: 6424 Parent PID: 6216 15 Copyright Joe Security LLC 2021 Page 2 of 18 General 15 File Activities 15 Analysis Process: conhost.exe PID: 6464 Parent PID: 6424 15 General 15 Analysis Process: cmd.exe PID: 6516 Parent PID: 6424 15 General 15 File Activities 15 File Created 15 File Written 15 File Read 16 Analysis Process: findstr.exe PID: 6532 Parent PID: 6516 16 General 16 File Activities 16 File Written 16 Analysis Process: Bel.exe.com PID: 6552 Parent PID: 6516 16 General 16 File Activities 16 File Read 16 Analysis Process: PING.EXE PID: 6564 Parent PID: 6516 16 General 16 File Activities 17 Analysis Process: Bel.exe.com PID: 6600 Parent PID: 6552 17 General 17 File Activities 17 File Deleted 17 File Read 17 Analysis Process: nslookup.exe PID: 4532 Parent PID: 6600 17 General 17 Registry Activities 17 Key Created 17 Key Value Created 17 Disassembly 17 Code Analysis 17
Copyright Joe Security LLC 2021 Page 3 of 18 Windows Analysis Report As47eCZnpZ
Overview
General Information Detection Signatures Classification
Sample As47eCZnpZ (renamed file Name: extension from none to Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… exe) SMSuubbltmi AiiittttVttee dSd cssaanmnppelllere d iiises taae ckktnniooonww fnno rm saaulllwbwmaa… Analysis ID: 439538 CSCouonbntmttaaiiintntses d fffu usnnaccmtttiiioponlneaa lillisiittty ya tt toko n rrreoegwgiiinsst ttemerrra aalw llloao… MD5: 93df98db8236868… IICInnojjjeencctttatssi n aas P PfuEEn ffcfiiilltleieo iininnatttoloi t aya tfffoo rrrreeiiiggnins tpperrroo acc eelo… SHA1: b42499efc5cad69… Ransomware MInajaeccchhtisiinn eae LPLeEeaa frrrinlneiiin nigng t dode eattte efcocttrtiiieooinng nfffoo prrr r ssoaacmepp… SHA256: ad09d1a6e737f29… Maacchhiinnee LLeeaarrnniinngg ddeetteeccttiioonn ffoorr ssaampp… Miner Spreading
Tags: 32 exe OMbabffcfuuhssicncaeatt teLeded a ccroonminmg aadnneddte lllciiinntieeo nfffoo fuuonnr ddsamp mmaallliiiccciiioouusss malicious
Evader Phishing
sssuusssppiiiccciiioouusss Infos: UOUsbseefusss nncsasllltooeoodkk ucuoppm...eemxxeea tnttood q qliuuneerrr yfyo dduoonmdaaiiinnss suspicious
cccllleeaann
clean Most interesting Screenshot: UUsseess pnpiisinnlgog.o..eekxxueep t.ttoeo x ccehh eteocc kqk u tttheherey s sdtttaaotttmuussa ioon…s Exploiter Banker
UUsseess ppiiinngg...eexxee tttoo scsllhleeeeecppk the status o
Spyware Trojan / Bot WUsrrrieiittteses sp ttitono g fffo.oerrrxeeeiiigg tnno msleemepoorrryy rrreeggiiioonnss Score: 80 Adware Range: 0 - 100 AWAbbrnintoeorsrrm toaa lll f hohiriigeghihg CnC PPmUUe mUUsosaraygg ereegions
Whitelisted: false CACobonntottaariiminnsas lff fuhuningcchtttii iooCnnPaaUllliiittt yyU ttstooa cgcheheecckk iiifff aa dd… Confidence: 100% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym llloiocccaaallllyee…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rqreeuttreriiereyvv eleo icinnaffoloe Process Tree CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreetttrrriiieevvee iiinnfffoo… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srseiiimtruiuelllavaetttee i nkkfeeo…
System is w10x64 CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss sppiemennuddleaedtde m koeo… As47eCZnpZ.exe (PID: 6216 cmdline: 'C:\Users\user\Desktop\As47eCZnpZ.exe' MD5: 93DF98DB8236868F5BD80EC14FE33A6C) DCDereettteaectcettteesd da T TpCCroPPc oeorrsr sUU DiDnP Ps utttrrrsaapfffffefiiicnc dooennd nn moonno… cmd.exe (PID: 6424 cmdline: 'C:\Windows\System32\cmd.exe' /c cmd < Profonda.m4a MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcDDeeVettt1ee ccMttteeDdd5 pTp: oCoEttteAPen7 nott7tiiriaa7 UlllD ccDErrryPyEpp Atttroo7a 8fffufu2icnnE cco8tttniiBioo n4nDon7C7C33BBF8A4496) cmd.exe (PID: 6516 cmdline: cmd MD5: F3BDBE3BB6F734E357235F4D5898582D) FDFooeuutenncddt e ppdoo ttpteeonntttetiiiaanlllt issatttlrrr iicinnrggy p ddteoec cfrrruyynppctttiitiooionnn /// aa… findstr.exe (PID: 6532 cmdline: findstr /V /R '^ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHCFhwsJvrhBqrOHUvZMPlyIGLlBkQvMEl yhYdTMciCIjdfJZ$' Folle.m4a MD5: 8B534A7FC0630DE41BB1F98C882C19EC) IIFIPPo auadndddr rrpeeossstse snseteieaenln s iiintnr i cncogon ndnneeecccrttytiiiopontni o wwniii ttt/hh a oo… Bel.exe.com (PID: 6552 cmdline: Bel.exe.com R MD5: C56B5F0201A3B3DE53E561FE76912BFD) MIPoo anndiiitttdoorrress s ccsee srrrttetaaeiiinn rrrieneg gciiisosttntrrryny e kkceetyiyossn /// wvvaiatlhlluu …o Bel.exe.com (PID: 6600 cmdline: C:\Users\user\AppData\Local\Temp\7ZipMSoofnxni.it0too0rrs0s \ cBceeerrltt.aaeixinne r.recegogimisst trRryy kMkeeDyys5s : / / C vva5al6luuB…5F0201A3B3DE53E561FE76912BFD)
nslookup.exe (PID: 4532 cmdline: C:\Windows\SysWOW64\nslookupPMP.eEEox n efffiiil ltle eoM rccsDoo cn5net:tta ar8tiiinaEnsis8n a2 arn5en 2 g iiin9insvDvtara1yllli4i iddk7 e c5cyhhDsee6 c/c7 kvk6sas1uulu5mADCB4E1B8F4EEC) PING.EXE (PID: 6564 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108) PPEE fffiiilllee ccoonntttaaiiinnss sastntrra ainngvgaeel irdree scsohoueurcrcckeesssum cleanup PPEE fffiiilllee ccoonntttaaiiinnss sstttrrraannggee rrreessoouurrrcceess
PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss…
SPSaoamtepnplltleiea ele xkxeecycu ulotttiiiogongn e ssrtt todopepstse wwcthheiiildllee ( pkprrerooycc ese…
SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … Malware Configuration TSTrrariiiemessp tttloeo rrfreielesso oislllvv ede i fddfeoormeanaitiin nt h nnaaanm oeersisg,,, i bnbuautltt …
UTUrssieess 3t3o22 brbeiiittst PoPlEEv e fffi iilldleeossmain names, but No configs have been found UUsseess c3co2odbdeiet oPobbEfffu ufsisleccasatttiiioonn ttteecchhnniiiqquueess (((…
Uses code obfuscation techniques (
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Copyright Joe Security LLC 2021 Page 4 of 18 Signature Overview
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Networking:
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Contains functionality to register a low level keyboard hook
System Summary:
Submitted sample is a known malware sample
Data Obfuscation:
Obfuscated command line found
Malware Analysis System Evasion:
Uses ping.exe to sleep
HIPS / PFW / Operating System Protection Evasion:
Injects a PE file into a foreign processes
Writes to foreign memory regions
Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Process Input System Time Remote Input Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Injection 2 1 2 Injection 2 1 2 Capture 1 2 1 Discovery 1 Services Capture 1 2 1 Over Other Channel 1 Insecure Interpreter 1 Network Network Medium Communication Default Native Boot or Boot or Logon Deobfuscate/Decode LSASS Memory Query Remote Archive Exfiltration Non-Standard Exploit SS7 to Accounts API 1 Logon Initialization Files or Registry 1 Desktop Collected Over Port 1 Redirect Phone Initialization Scripts Information 1 1 Protocol Data 1 Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Obfuscated Files or Security Account Security SMB/Windows Data from Automated Non- Exploit SS7 to Accounts (Windows) (Windows) Information 2 Manager Software Admin Shares Network Shared Exfiltration Application Track Device Discovery 2 1 Drive Layer Location Protocol 1 Local At (Windows) Logon Script Logon Script Binary Padding NTDS Process Distributed Input Capture Scheduled Application SIM Card Accounts (Mac) (Mac) Discovery 2 Component Transfer Layer Swap Object Model Protocol 1
Copyright Joe Security LLC 2021 Page 5 of 18 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Cloud Cron Network Network Logon Software Packing LSA Secrets Application SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Window Transfer Channels Device Discovery 1 Size Limits Communication
Replication Launchd Rc.common Rc.common Steganography Cached Domain Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Credentials Discovery 1 1 Capture Over C2 Communication Denial of Removable Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Network Remote Capture Over Used Port Access Points Services Configuration Management Alternative Discovery 2 Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc Filesystem File and Shared Credential API Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Directory Webroot Hooking Over Layer Protocol Insecure Interpreter Discovery 2 Symmetric Protocols Encrypted Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Masquerading /etc/passwd and System Software Data Staged Exfiltration Web Protocols Rogue Cellular Public- /etc/shadow Information Deployment Over Base Station Facing Discovery 1 4 Tools Asymmetric Application Encrypted Non-C2 Protocol
Behavior Graph
Hide Legend Behavior Graph
ID: 439538 Sample: As47eCZnpZ Legend: Startdate: 24/06/2021 Architecture: WINDOWS Score: 80 Process
Multi AV Scanner detection Machine Learning detection started for submitted file for sample Signature Created File As47eCZnpZ.exe DNS/IP Info 7 Is Dropped Contains functionality to register a low level started keyboard hook Is Windows Process
cmd.exe Number of created Registry Values
1 Number of created Files
Uses ping.exe to check Submitted sample is Obfuscated command line Uses ping.exe to sleep the status of other started started a known malware sample found devices and networks Visual Basic
cmd.exe conhost.exe Delphi
3 Java
Obfuscated command line Uses ping.exe to sleep started started started .Net C# or VB.NET found C, C++ or other language Bel.exe.com PING.EXE findstr.exe
1 1 Is malicious
Internet 127.0.0.1 192.168.2.1
unknown unknown dropped unknown unknown
started C:\Users\user\AppData\Local\...\Bel.exe.com, Targa
Uses nslookup.exe to query domains
Bel.exe.com
PXBJECjdIHvvfvACvVUZukUKtdaV.PXBJECjdIHvvfvACvVUZukUKtdaV
started
Uses nslookup.exe to Writes to foreign memory Injects a PE file into query domains regions a foreign processes
nslookup.exe
1
176.111.174.74, 4173, 49719 WILWAWPL Russian Federation
Screenshots
Thumbnails Copyright Joe Security LLC 2021 Page 6 of 18 This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link As47eCZnpZ.exe 13% Virustotal Browse As47eCZnpZ.exe 41% ReversingLabs Win32.Trojan.Crypzip As47eCZnpZ.exe 100% Joe Sandbox ML
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Copyright Joe Security LLC 2021 Page 7 of 18 Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation PXBJECjdIHvvfvACvVUZukUKtdaV.PXBJECjdIHvv unknown unknown false unknown fvACvVUZukUKtdaV
URLs from Memory and Binaries
Contacted IPs
Public
IP Domain Country Flag ASN ASN Name Malicious 176.111.174.74 unknown Russian Federation 201305 WILWAWPL false
Private
IP 192.168.2.1 127.0.0.1
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 439538 Start date: 24.06.2021 Start time: 05:55:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 41s Hypervisor based Inspection enabled: false Report type: light Sample file name: As47eCZnpZ (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 24 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.troj.spyw.evad.winEXE@16/7@1/3
Copyright Joe Security LLC 2021 Page 8 of 18 EGA Information: Failed HDC Information: Successful, ratio: 59% (good quality ratio 57.8%) Quality average: 89.2% Quality standard deviation: 19.4% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All
Simulations
Behavior and APIs
Time Type Description 05:56:31 API Interceptor 1x Sleep call for process: Bel.exe.com modified
Joe Sandbox View / Context
IPs
Match Associated Sample Name / URL SHA 256 Detection Link Context 176.111.174.74 vMGwWrPRdu.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe 0Zru1SwgUv.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe MkN1YeVTbG.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe ldnaZ1RI6W.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe MNV60DaSww.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe UR8zlHNhnw.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe
Domains
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context WILWAWPL dUHf4W45fC.exe Get hash malicious Browse 176.111.17 4.107 vMGwWrPRdu.exe Get hash malicious Browse 176.111.174.74 djzqkrJmZC.exe Get hash malicious Browse 176.111.17 4.107 gknZtppOC6.exe Get hash malicious Browse 176.111.17 4.254 SeBVPZSYbF.exe Get hash malicious Browse 176.111.17 4.254 TFPxQL6uLU.exe Get hash malicious Browse 176.111.17 4.254 xuIDpVhTW8.exe Get hash malicious Browse 176.111.17 4.254 ALFl44K1Kg.exe Get hash malicious Browse 176.111.17 4.254 vQu9RlgOox.exe Get hash malicious Browse 176.111.17 4.254 XO1uYL6AQd.exe Get hash malicious Browse 176.111.17 4.254 0EG8l0QFdv.exe Get hash malicious Browse 176.111.174.89 daq2qi3r2X.exe Get hash malicious Browse 176.111.17 4.254
Copyright Joe Security LLC 2021 Page 9 of 18 Match Associated Sample Name / URL SHA 256 Detection Link Context Op3ra80cp6.exe Get hash malicious Browse 176.111.174.40 qY7H2JjWbU.exe Get hash malicious Browse 176.111.17 4.254 41PP9MnS6t.exe Get hash malicious Browse 176.111.17 4.254 bb4Wdn72fp.exe Get hash malicious Browse 176.111.17 4.254 FGdFl4G7Bf.exe Get hash malicious Browse 176.111.17 4.254 7DfK6MCFiI.exe Get hash malicious Browse 176.111.17 4.254 V0DNOQ8w1q.exe Get hash malicious Browse 176.111.17 4.254 2aWJvuHmxd.exe Get hash malicious Browse 176.111.17 4.254
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com
Process: C:\Windows\SysWOW64\findstr.exe File Type: Targa image data - Mono 65536 x 184 x 0 +65535 "" Category: modified Size (bytes): 893606 Entropy (8bit): 6.6201269982958335 Encrypted: false SSDEEP: 12288:5pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:5T3E53Myyzl0hMf1tr7Caw8M01 MD5: AC7E48DBA858E15A8E690D815932BB19 SHA1: BE87503D572E71FD3D66D0F9DDAD4F2CE00C1FE1 SHA-256: FB037A9D6DE82C0CD301AEEAD155EEC3127282752E1F647A5DCDD156A685E6C2 SHA-512: FCF848846A530CB6E60D79E49B51DADFD31C120E9F23DE6D89A6D9FC0CC38F29F0410E25A5F29BE5722B0BCDE15210B057D9D41E7928A3612EB53F16B7DFB00 B Malicious: true Reputation: moderate, very likely benign file Preview: ...... @...... !..L.!This program cannot be run in DOS mode....$...... sD.R.*.R.*.R.*..C..P.*....S.*[email protected].*._@....*[email protected].*.[j..[.*.[j..w.*.R.+ .r.*...... *....S.*[email protected].*.R...P.*....S.*.RichR.*...... PE..L....q.Z...... "...... @...... @...@...... @...... |...... P...... p...q...;...... [..@...... text...... `.rdata...... @[email protected]...... R...... @....rsrc...P...... <...... @[email protected]...... @..B......
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Folle.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: data Category: dropped Size (bytes): 893707 Entropy (8bit): 6.620332197564393 Encrypted: false SSDEEP: 12288:IpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:IT3E53Myyzl0hMf1tr7Caw8M01 MD5: 62D36624C2AC3F6FB66BE6E1996DD007 SHA1: 05A99E128D9DDB52CF2941D63BEFAF9E49FFBD1C SHA-256: CBD4FDFAF795CE48124ABB0D444D939546AED39B342765203E22A60F3105BE7D SHA-512: 7161444B74D0A7193EA2B671CF08B978C1F8EFEAB7F76C30D8A08A93796625F08B0E181EF37451570A67EF30970A3863BBFA9B3A1D7B09175AD1E37DCB9C1970 Malicious: false Reputation: low
Copyright Joe Security LLC 2021 Page 10 of 18 C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Folle.m4a Preview: ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHCFhwsJvrhBqrOHUvZMPlyIGLlBkQvMElyhYdTMciCIjdfJZ...... @...... !..L.!This program cannot be run in DOS mode....$...... sD.R.*.R.*.R.*..C..P.*....S.*[email protected].*._@....*[email protected].*.[j..[.*.[j..w.*.R.+.r.*...... *....S.*[email protected].*.R...P.*....S .*.RichR.*...... PE..L....q.Z...... "...... @...... @...@...... @...... |...... P...... p...q...;...... [..@ ...... text...... `.rdata...... @[email protected]...... R...... @....rsrc...P...... <...... @[email protected]...... @..B......
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Profonda.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 281 Entropy (8bit): 5.72441813736028 Encrypted: false SSDEEP: 6:CS5IX/jHilqw+Bi39Drqj5cclUnE1Jo/2PlFAkY7loNQXSLp0n:zWXrZw339DrqNcMgcJoePDAkY7lGCS90 MD5: 85D3AE083D0C78B133F784CCBB908F49 SHA1: 0F904C97992551BE5634D36C49CB8CE91827FC9E SHA-256: 1E56025E8F519E3D6AD524D1F2D7FC05B67CC3A63B59C67AFB23CEF8719BE1B2 SHA-512: ED73C4EA577B65E229D2E7E5880D4EFAD180EC0D1D5D0273E43D864739DEBE249FF1FF4E3614D961C5F71A6AB35C374F94B8983BF71216EC4BFF02AEB6D1F89 2 Malicious: false Reputation: low Preview: if %userdomain%==DESKTOP-QO5QU33 exit 1..
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Puo.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: ASCII text, with very long lines, with CRLF, CR, LF line terminators Category: dropped Size (bytes): 975982 Entropy (8bit): 5.854319450048129 Encrypted: false SSDEEP: 6144:ip1S9JLZg66YHZ2eABYnEd0a2dVDMvfdydEAgG73GgZ0kmIGdWsNxnKEAXn/vu9t:W1SO6vtrdMmESmddpnHK/4iS7uCVmD0 MD5: 3920574F20EAC0217736519819A577A4 SHA1: 1C022C97B11007C00481A43C805C0E250C1F6318 SHA-256: 7611F2A46A893A9EE77B484EF7635C99F8E06AE5D235627A731FD9DBA7F3093C SHA-512: 846CBB13A922104BE08580BDF48B5DAE031C6FD8B20B4BD5C14364B7F4B1FCF539F1EEFB3B5D67E565CE23B46C09DD8910573C9540C30EB826B4965F7EFC054 1 Malicious: false Reputation: low Preview: ..Func FMHdbmYg($uVZ,$ppFfv,$KvtlIJ)..Local $JyoLEhlbigGfOndsWilHaPSHfcoIbHNKrfbwNgBrZMnwPtWXNTLCEhGUjB = 'otBZmAWknwfEIGiHGdRRlmk VEWlyPJCPkSaYbMYASSbWbgrWbFqDcJkJTGcDdRvPnmaPholTadYswgbfSgIpJYzCHIyQdclwvIbYWgIgcukyKTIEpuKwpjumyPiErzDWyXVzRmzEFzOCNgR OqAHlKpSpCXSuutkwDgZNXgMKNucPnDMRYzDCMzjW'...$wkhcFUlEtyI = 150..$ZByMiQdFqFPZBz = 81..While ((6602-6601)*6149)..Switch $wkhcFUlEtyI..Case 1 42....$gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("87_120_118_109_114_107_77_119_74_112_115_101_120_44_43_89_75_69_88_122_102_117_88_107_79_11 9_109_43_45",4)), $dSSXCUZqvPqRNG = 'LCEvpRyOexhVsaGERQtLJJLrRsKbQmeIQeoMuUYiktQDfYHI'..$175 = 138..For $nSaclIGFaQXUTXIWkKJJgyAum VmHBdgckhjskstpPRImhkkomBZcCgKask = 4 To 23..Local $JUgeQAFRiHXCa = 'tgpTnXSWmESoOSJeIFdwZVOuWFgiqDuglKUznVNkoMcJpIMNitZak'..Local $gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_120_118_123_97_92_82_85_95_96_119_78_97_4 8_50",9)), $YdDMSyTh = 'yWgSBZWDOeUyLTcYUDbQmkFKIPRAhm'..Next....$wkhc
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\R Process: C:\Windows\SysWOW64\cmd.exe File Type: ASCII text, with very long lines, with CRLF, CR, LF line terminators Category: dropped Size (bytes): 975982 Entropy (8bit): 5.854319450048129 Encrypted: false SSDEEP: 6144:ip1S9JLZg66YHZ2eABYnEd0a2dVDMvfdydEAgG73GgZ0kmIGdWsNxnKEAXn/vu9t:W1SO6vtrdMmESmddpnHK/4iS7uCVmD0 MD5: 3920574F20EAC0217736519819A577A4 SHA1: 1C022C97B11007C00481A43C805C0E250C1F6318 SHA-256: 7611F2A46A893A9EE77B484EF7635C99F8E06AE5D235627A731FD9DBA7F3093C SHA-512: 846CBB13A922104BE08580BDF48B5DAE031C6FD8B20B4BD5C14364B7F4B1FCF539F1EEFB3B5D67E565CE23B46C09DD8910573C9540C30EB826B4965F7EFC054 1 Malicious: false Reputation: low
Copyright Joe Security LLC 2021 Page 11 of 18 C:\Users\user\AppData\Local\Temp\7ZipSfx.000\R Preview: ..Func FMHdbmYg($uVZ,$ppFfv,$KvtlIJ)..Local $JyoLEhlbigGfOndsWilHaPSHfcoIbHNKrfbwNgBrZMnwPtWXNTLCEhGUjB = 'otBZmAWknwfEIGiHGdRRlmk VEWlyPJCPkSaYbMYASSbWbgrWbFqDcJkJTGcDdRvPnmaPholTadYswgbfSgIpJYzCHIyQdclwvIbYWgIgcukyKTIEpuKwpjumyPiErzDWyXVzRmzEFzOCNgR OqAHlKpSpCXSuutkwDgZNXgMKNucPnDMRYzDCMzjW'...$wkhcFUlEtyI = 150..$ZByMiQdFqFPZBz = 81..While ((6602-6601)*6149)..Switch $wkhcFUlEtyI..Case 1 42....$gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("87_120_118_109_114_107_77_119_74_112_115_101_120_44_43_89_75_69_88_122_102_117_88_107_79_11 9_109_43_45",4)), $dSSXCUZqvPqRNG = 'LCEvpRyOexhVsaGERQtLJJLrRsKbQmeIQeoMuUYiktQDfYHI'..$175 = 138..For $nSaclIGFaQXUTXIWkKJJgyAum VmHBdgckhjskstpPRImhkkomBZcCgKask = 4 To 23..Local $JUgeQAFRiHXCa = 'tgpTnXSWmESoOSJeIFdwZVOuWFgiqDuglKUznVNkoMcJpIMNitZak'..Local $gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_120_118_123_97_92_82_85_95_96_119_78_97_4 8_50",9)), $YdDMSyTh = 'yWgSBZWDOeUyLTcYUDbQmkFKIPRAhm'..Next....$wkhc
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Sfaldavano.m4a
Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: data Category: dropped Size (bytes): 212992 Entropy (8bit): 7.999103891298141 Encrypted: true SSDEEP: 6144:7FnNA0Jy8tpv/G5phjDeRUbo+KUMyNiVt6NC1:7FN3pXG9jDeavN2tiC1 MD5: AD0CEE9C167ACAECFEE67E32C1E53A95 SHA1: 57C8C7FE1F1A75217F269BF00563E56E9DD694BE SHA-256: 842764050803468DDBD46DF063AA2EE1952598406E3784CDCA57BAEBA21D6775 SHA-512: C3E88F8F89EF5258D9F49FB10342D6883788EA4322AA9B7AA43E619145E87259AEBE42E2D9E9F1A5A01D9729EDF6FF345BC74583EB62206E798DC7047B642634 Malicious: false Preview: @6...*\...R...G..R.9.. ...'...... C...... 1..Jqa....[Y...Ob^.B.5 .{ .qG.*...."..../..4 Bu.a...,...T...s..t..$..m...*.b_#..I..MG...a<.y...&q...G....l...... Y.a.:.}N.F..'..'.]...s..&j.:.:$.....?.P...= .x....X.Uf.hm....G[..Y....z....K.Wh([email protected]...}c&n..q{u..[UY.(g.\.....C.:-..5....OJZt...... @.O..d.u.w.9....D.....c.
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.671481217690432 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: As47eCZnpZ.exe File size: 1521629 MD5: 93df98db8236868f5bd80ec14fe33a6c SHA1: b42499efc5cad69836bfd85e226bc088d62f05fe SHA256: ad09d1a6e737f2900eb85a8f92092d4c9065ba7b94902dc 78ab900cbff166e82 SHA512: 1faf66b7eaeeb89ae18be3aae8641107b3c7f54a1fa0aa6 84bd9bc864143832ff3568d0cc4ebd45ebe026c7e9fc613 4c2dda976d24ac69ce0814e2af615f6759 SSDEEP: 24576:JChmYDQDXULmCiIhekpMYVBgqrQyTIhBri4oN GxL2GbPo8P9XT:JbSQDb8/V4yklSGxL2sT9XT File Content Preview: MZ`...... @...... `...... !..L.!R equire Windows..$PE..L...... V...... `...... @...... p. .\......
File Icon
Icon Hash: f0ecd4d4d4dcd4d4
Static PE Info
General Entrypoint: 0x41badf
Copyright Joe Security LLC 2021 Page 12 of 18 General Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x56B8EE06 [Mon Feb 8 19:35:34 2016 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 650ed02ca4b6baad6b24f20402b6268b
Entrypoint Preview
Data Directories
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1b48a 0x1b600 False 0.60014447774 data 6.68441909824 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x1d000 0x4082 0x4200 False 0.453184185606 data 5.64476234082 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x22000 0x4c30 0x800 False 0.427734375 data 3.84196672305 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x27000 0x6155c 0x61600 False 0.384093689827 data 6.18503201203 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ
Resources
Imports
Version Infos
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
Network Port Distribution
TCP Packets
UDP Packets
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Copyright Joe Security LLC 2021 Page 13 of 18 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 24, 2021 05:56:31.408637047 CEST 192.168.2.5 8.8.8.8 0x35da Standard query PXBJECjdIH A (IP address) IN (0x0001) (0) vvfvACvVUZ ukUKtdaV.P XBJECjdIHv vfvACvVUZu kUKtdaV
DNS Answers
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 24, 2021 8.8.8.8 192.168.2.5 0x35da Name error (3) PXBJECjdIH none none A (IP address) IN (0x0001) 05:56:31.463387012 vvfvACvVUZ CEST ukUKtdaV.P XBJECjdIHv vfvACvVUZu kUKtdaV
Code Manipulations
Statistics
Behavior
Click to jump to process
System Behavior
Analysis Process: As47eCZnpZ.exe PID: 6216 Parent PID: 5912
General
Start time: 05:56:21 Start date: 24/06/2021 Path: C:\Users\user\Desktop\As47eCZnpZ.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\As47eCZnpZ.exe' Imagebase: 0x400000 File size: 1521629 bytes MD5 hash: 93DF98DB8236868F5BD80EC14FE33A6C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities Show Windows behavior
File Created
File Deleted
File Written
File Read
Copyright Joe Security LLC 2021 Page 14 of 18 Analysis Process: cmd.exe PID: 6424 Parent PID: 6216
General
Start time: 05:56:27 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\cmd.exe' /c cmd < Profonda.m4a Imagebase: 0x150000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities Show Windows behavior
Analysis Process: conhost.exe PID: 6464 Parent PID: 6424
General
Start time: 05:56:27 Start date: 24/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Analysis Process: cmd.exe PID: 6516 Parent PID: 6424
General
Start time: 05:56:28 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd Imagebase: 0x150000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities Show Windows behavior
File Created
File Written
Copyright Joe Security LLC 2021 Page 15 of 18 File Read
Analysis Process: findstr.exe PID: 6532 Parent PID: 6516
General
Start time: 05:56:28 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\findstr.exe Wow64 process (32bit): true Commandline: findstr /V /R '^ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHC FhwsJvrhBqrOHUvZMPlyIGLlBkQvMElyhYdTMciCIjdfJZ$' Folle.m4a Imagebase: 0x1380000 File size: 29696 bytes MD5 hash: 8B534A7FC0630DE41BB1F98C882C19EC Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities Show Windows behavior
File Written
Analysis Process: Bel.exe.com PID: 6552 Parent PID: 6516
General
Start time: 05:56:29 Start date: 24/06/2021 Path: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com Wow64 process (32bit): true Commandline: Bel.exe.com R Imagebase: 0x7ff797770000 File size: 893608 bytes MD5 hash: C56B5F0201A3B3DE53E561FE76912BFD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities Show Windows behavior
File Read
Analysis Process: PING.EXE PID: 6564 Parent PID: 6516
General
Start time: 05:56:29 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\PING.EXE Wow64 process (32bit): true Commandline: ping 127.0.0.1 -n 30 Imagebase: 0xe30000 File size: 18944 bytes MD5 hash: 70C24A306F768936563ABDADB9CA9108
Copyright Joe Security LLC 2021 Page 16 of 18 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities Show Windows behavior
Analysis Process: Bel.exe.com PID: 6600 Parent PID: 6552
General
Start time: 05:56:30 Start date: 24/06/2021 Path: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com Wow64 process (32bit): true Commandline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com R Imagebase: 0x10e0000 File size: 893608 bytes MD5 hash: C56B5F0201A3B3DE53E561FE76912BFD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities Show Windows behavior
File Deleted
File Read
Analysis Process: nslookup.exe PID: 4532 Parent PID: 6600
General
Start time: 05:58:16 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\nslookup.exe Wow64 process (32bit): true Commandline: C:\Windows\SysWOW64\nslookup.exe Imagebase: 0xc40000 File size: 78336 bytes MD5 hash: 8E82529D1475D67615ADCB4E1B8F4EEC Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities Show Windows behavior
Key Created
Key Value Created
Disassembly
Code Analysis Copyright Joe Security LLC 2021 Page 17 of 18 Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond
Copyright Joe Security LLC 2021 Page 18 of 18