Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report module.8144.18ffc90c0.400000.dll

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:136638
Start date:29.05.2019
Start time:16:49:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:module.8144.18ffc90c0.400000.dll (renamed file extension from dll to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.rans.evad.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 23
  • Number of non-executed functions: 93
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLAccess Token Manipulation1Disabling Security Tools1Credential DumpingSystem Time Discovery1Application Deployment SoftwareClipboard Data1Data Encrypted21Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Software Packing1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureProcess Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionSecurity Software Discovery21Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryFile and Directory Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery13Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: module.8144.18ffc90c0.400000.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401000 EntryPoint,CryptAcquireContextA,lstrcpyW,lstrlenW,lstrcatW,GetFileAttributesW,CreateFileW,WriteFile,CloseHandle,SetFileAttributesW,GlobalFree,0_2_00401000
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_2_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_0040191C
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_1_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401000 EntryPoint,CryptAcquireContextA,lstrcpyW,lstrlenW,lstrcatW,GetFileAttributesW,CreateFileW,WriteFile,CloseHandle,SetFileAttributesW,GlobalFree,0_1_00401000
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_1_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_0040191C

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_2_004014CC
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_1_004014CC
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_2_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E95DAE FindFirstFileW,9_2_00E95DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_1_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E95DAE FindFirstFileW,9_1_00E95DAE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9765E OpenClipboard,9_2_00E9765E

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected LockCrypt RansomwareShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Contains functionality to clear event logsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %00_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %00_1_0040191C
Contains functionality to encrypt and move a file in one functionShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_2_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_1_0040128D
Deletes shadow drive data (may be related to ransomware)Show sources
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: /c vssadmin delete shadows /all
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000000.593186365.0000000000403000.00000008.sdmpBinary or memory string: del %0/c vssadmin delete shadows /all/c Regsvr32 /s Rsaenh.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-openSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdminSeDebugPrivilegeSeBackupPrivilegeSeRestorePrivilegeunlock"c:\Decoding help.hta"searchfilesC:\windows\searchfiles.exeC:\Windows\System32\mshta.exe
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: /c vssadmin delete shadows /all
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: del %0/c vssadmin delete shadows /all/c Regsvr32 /s Rsaenh.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-openSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdminSeDebugPrivilegeSeBackupPrivilegeSeRestorePrivilegeunlock"c:\Decoding help.hta"searchfilesC:\windows\searchfiles.exeC:\Windows\System32\mshta.exe
Detected suspicious e-Mail address in disassemblyShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS0_1_0040191C
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_0040191C
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_1_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_0040191C

System Summary:

barindex
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E94307 appears 246 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA29EC appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E94E9D appears 328 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA31CA appears 74 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA3194 appears 116 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E91E20 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E9851B appears 122 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA2BBA appears 262 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA3161 appears 176 times
Sample file is different than original file name gathered from version infoShow sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2314748360.00000000004A0000.00000002.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs module.8144.18ffc90c0.400000.exe
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs module.8144.18ffc90c0.400000.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal80.rans.evad.winEXE@2/1@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401DE7 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,0_2_00401DE7
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401DE7 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,0_1_00401DE7
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E97025 GetDiskFreeSpaceExW,9_2_00E97025
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E921A2 CoCreateInstance,9_2_00E921A2
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2019-5-29.2357.2916.1.aodlJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
PE file has an executable .text section and no other executable sectionShow sources
Source: module.8144.18ffc90c0.400000.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: FileCoAuth.exeString found in binary or memory: /installperfcounters
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe 'C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe -Embedding
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: FileCoAuth.pdb source: FileCoAuth.exe, 00000009.00000000.2084517723.0000000000EA6000.00000002.sdmp
Source: Binary string: FileCoAuth.pdbDD source: FileCoAuth.exe, 00000009.00000000.2084517723.0000000000EA6000.00000002.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: module.8144.18ffc90c0.400000.exeStatic PE information: real checksum: 0x3f67 should be: 0xa6a9
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA313E push ecx; ret 9_2_00EA3151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA3265 push ecx; ret 9_2_00EA3278
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA313E push ecx; ret 9_1_00EA3151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA3265 push ecx; ret 9_1_00EA3278

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeWindow / User API: threadDelayed 4593Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeAPI coverage: 5.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep count: 4593 > 30Jump to behavior
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep time: -137790000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_2_004014CC
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_1_004014CC
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_2_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E95DAE FindFirstFileW,9_2_00E95DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_1_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E95DAE FindFirstFileW,9_1_00E95DAE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A7CF IsDebuggerPresent,OutputDebugStringW,9_2_00E9A7CF
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA32C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,9_2_00EA32C6
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA32C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,9_1_00EA32C6

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Program Manager
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Progman
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,9_2_00E97325
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,9_1_00E97325
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E969DE memset,GetUserNameW,9_2_00E969DE
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA1383 GetVersionExW,9_2_00EA1383
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Contains functionality to modify Windows User Account Control (UAC) settingsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdmin0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdmin0_1_0040191C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,9_2_00E9ECC0
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,9_1_00E9ECC0

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 136638 Sample: module.8144.18ffc90c0.400000.dll Startdate: 29/05/2019 Architecture: WINDOWS Score: 80 10 Antivirus or Machine Learning detection for sample 2->10 12 Deletes shadow drive data (may be related to ransomware) 2->12 14 Antivirus or Machine Learning detection for unpacked file 2->14 5 module.8144.18ffc90c0.400000.exe 2->5         started        8 FileCoAuth.exe 4 2->8         started        process3 signatures4 16 Detected LockCrypt Ransomware 5->16 18 Contains functionality to encrypt and move a file in one function 5->18 20 Contains functionality to modify Windows User Account Control (UAC) settings 5->20 22 2 other signatures 5->22

Simulations

Behavior and APIs

TimeTypeDescription
16:50:40API Interceptor4607x Sleep call for process: module.8144.18ffc90c0.400000.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
module.8144.18ffc90c0.400000.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.2.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.