Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report XgkKQZc74T.exe

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:710217
Start date:12.11.2018
Start time:22:28:12
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:XgkKQZc74T.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 (Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 93%
  • Number of executed functions: 5
  • Number of non-executed functions: 1
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, mscorsvw.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection11Masquerading1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


System Summary:

barindex
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeMemory allocated: 76D80000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeMemory allocated: 76C80000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeMemory allocated: 76D80000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeMemory allocated: 76C80000 page execute and read and writeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_004019921_1_00401992
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_004014961_1_00401496
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_0040199D1_1_0040199D
Sample file is different than original file name gathered from version infoShow sources
Source: XgkKQZc74T.exe, 00000001.00000002.300612479.0000000000540000.00000002.sdmpBinary or memory string: System.OriginalFileName vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300792911.0000000000580000.00000008.sdmpBinary or memory string: originalfilename vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300792911.0000000000580000.00000008.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300901341.00000000005B0000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs XgkKQZc74T.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile read: C:\Users\user\Desktop\XgkKQZc74T.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@3/1@0/0
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile created: C:\Users\user~1\AppData\Local\Temp\szgfw.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: XgkKQZc74T.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\XgkKQZc74T.exe 'C:\Users\user\Desktop\XgkKQZc74T.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe'
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: XgkKQZc74T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: uiopferta.pdb source: XgkKQZc74T.exe

Data Obfuscation:

barindex
Detected packer (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeUnpacked PE file: 1.2.XgkKQZc74T.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeUnpacked PE file: 2.2.szgfw.exe.400000.0.unpack
PE file contains an invalid checksumShow sources
Source: XgkKQZc74T.exeStatic PE information: real checksum: 0x14be4 should be: 0x16762
Source: szgfw.exe.1.drStatic PE information: real checksum: 0x14be4 should be: 0x770c
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.97667822547
Source: initial sampleStatic PE information: section name: .text entropy: 6.97667822547

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile created: C:\Users\user~1\AppData\Local\Temp\szgfw.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, PE includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\szgfw.exe TID: 256Thread sleep count: 109 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exe TID: 256Thread sleep time: -109000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeLast function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: Program Manager
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: !Progman

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710217 Sample: XgkKQZc74T.exe Startdate: 12/11/2018 Architecture: WINDOWS Score: 56 15 Icon mismatch, PE includes an icon from a different legit application in order to fool users 2->15 6 XgkKQZc74T.exe 2 2->6         started        process3 file4 13 C:\Users\user~1\AppData\Local\...\szgfw.exe, PE32 6->13 dropped 17 Detected packer (overwrites its own PE header) 6->17 10 szgfw.exe 6->10         started        signatures5 process6 signatures7 19 Detected packer (overwrites its own PE header) 10->19

Simulations

Behavior and APIs

TimeTypeDescription
22:29:11API Interceptor1x Sleep call for process: XgkKQZc74T.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w7x64l
  • XgkKQZc74T.exe (PID: 316 cmdline: 'C:\Users\user\Desktop\XgkKQZc74T.exe' MD5: B113F9673926A4DA52A24BAB925A51CB)
    • szgfw.exe (PID: 268 cmdline: 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' MD5: FEC523CD6854792CCAB4E308B77F6D26)
  • cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\szgfw.exe
Process:C:\Users\user\Desktop\XgkKQZc74T.exe
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):29792
Entropy (8bit):5.34156855306948
Encrypted:false
MD5:FEC523CD6854792CCAB4E308B77F6D26
SHA1:7AACB730DADDC4A96F34B0E0BF8CED33DFF73208
SHA-256:B4143846A11B4498A57FAEA636DB394FFAFE5DE77ED7819DBB33DD854088BC0F
SHA-512:F4712E70C6F79AC4058C147108F46034AF59D7F3A68CFFF8F3C58513651C176FFD6C10514F67B723D77EF1BBF94FE97BCBC1B42CAB7A9F524AA02AD5F8466653
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):5.342677298449259
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
File name:XgkKQZc74T.exe
File size:29708
MD5:b113f9673926a4da52a24bab925a51cb
SHA1:93954a4504345d4a33ee6b1e000946ff8275e2fe
SHA256:973c5ba01815e4f19749cae93c1a5bbcfca39382edd931b1639f0692d089b7bd
SHA512:86b3bd8cf99f9ff285193f12de3a97b23739ffc103a2e786da57ebbf0526b974cf919bf72c4aae379605a3b41a2a94ed2d45d5f42e48bc08a4bea7c69c391275
SSDEEP:768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rCBswh:GY9jw/dUT62rGdiUOWWrCqwh
File Content Preview:MZ......................@...............................................!..L.!That program cannot be run in DOS mode....$.......PE..L......S................."...D...............@....@..................................K.....................................

File Icon

Icon Hash:e8d8888888ac84b8

Static PE Info

General

Entrypoint:0x401992
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x530503FE [Wed Feb 19 19:20:30 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:222e7b320f36011feb1642000d8fa826

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFB0h
mov esi, dword ptr [esp]
add esi, 55h
xor dword ptr [004050B5h], esi
mov edx, dword ptr [esp]
add edx, esi
mov ecx, dword ptr [esp]
adc ecx, dword ptr [00405074h]
mov eax, dword ptr [esp]
add eax, esi
mov edx, dword ptr [esp]
add edx, eax
sub dword ptr [004051E0h], esi
sub esi, esi
xor edx, FFFFFFD3h
or eax, dword ptr [004050A8h]
sub edx, 6Ch
lea ecx, dword ptr [00405CE0h]
push dword ptr [ecx]
call dword ptr [004041A8h]
mov ecx, dword ptr [esp]
add ecx, eax
or ah, byte ptr [00405168h]
mov ebx, dword ptr [esp]
adc ebx, dword ptr [0040510Dh]
mov edi, dword ptr [esp]
add edi, esi
mov edx, 00401600h
call edx
xor edi, ebx
and dword ptr [00405056h], 000000B1h
xor dword ptr [004050C0h], esi
adc eax, dword ptr [004050AAh]
or dword ptr [004050E3h], 000000CEh
adc cl, byte ptr [0040516Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4051F50Dh], al
add byte ptr [ebx], bh
mov dh, byte ptr [esp]
add dh, bh
mov ecx, dword ptr [esp]
adc ecx, dword ptr [004050D4h]
or eax, dword ptr [00405140h]
push 00405C3Dh
push 00405C32h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x41e40x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x2cae.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x5d010x1c.data
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x41000x1e4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x210a0x2200False0.687614889706ump; DBase 3 data file with memo(s) (1079070981 records)6.97667822547IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x7080x800False0.451171875ump; data4.1084947915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000xd430xe00False0.573102678571ump; data5.17510483066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x60000x2cae0x2e00False0.11277173913ump; data3.12356224824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x67060x25a8ump; data
RT_MENU0x60f00x600ump; dataEnglishUnited States
RT_GROUP_ICON0x66f00x16ump; MS Windows icon resource - 1 icon

Imports

DLLImport
cryptdll.dllCDBuildVect, MD5Update, CDLocateRng, MD5Init
shell32.dllDragAcceptFiles, SHCreateShellItem, ShellAboutA, SHGetFileInfoA, StrChrA, SHFileOperationA, DragQueryFileA, FreeIconList, SHGetDataFromIDListA, SHGetDiskFreeSpaceA, FindExecutableA, SHGetDesktopFolder, ShellMessageBoxW, SHGetFolderPathA, SHGetMalloc, DragFinish
dbnmpntw.dllConnectionClose, ConnectionWrite, ConnectionError
kernel32.dllFileTimeToSystemTime, SearchPathA, OpenMutexA, GetPrivateProfileIntW, GetModuleHandleW, GetLocalTime, ReadConsoleW, FindFirstFileA, GetEnvironmentVariableA, DeviceIoControl, SetEnvironmentVariableW, CompareStringW, GetStringTypeW, IsValidCodePage, lstrcmpiA, lstrcmpA, TlsGetValue, GetProcAddress, GetTickCount, WriteConsoleA, lstrcpynW, GetLastError, CreateDirectoryA, GetCurrentDirectoryW, SetErrorMode, SleepEx, InterlockedDecrement, GetFullPathNameW, GetPrivateProfileIntW, IsBadStringPtrA

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: XgkKQZc74T.exe PID: 316 Parent PID: 1864

General

Start time:22:29:03
Start date:12/11/2018
Path:C:\Users\user\Desktop\XgkKQZc74T.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\XgkKQZc74T.exe'
Imagebase:0x400000
File size:29708 bytes
MD5 hash:B113F9673926A4DA52A24BAB925A51CB
Has administrator privileges:true
Programmed in:"C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: szgfw.exe PID: 268 Parent PID: 316

General

Start time:22:29:11
Start date:12/11/2018
Path:C:\Users\user\AppData\Local\Temp\szgfw.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user~1\AppData\Local\Temp\szgfw.exe'
Imagebase:0x400000
File size:29792 bytes
MD5 hash:FEC523CD6854792CCAB4E308B77F6D26
Has administrator privileges:true
Programmed in:"C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: XgkKQZc74T.exe PID: 316 Parent PID: 1864XgkKQZc74T.exeCOMMON

    Execution Graph

    Execution Coverage:29.2%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:16
    Total number of Limit Nodes:3

    Graph

    execution_graph 170 40126b 172 401278 170->172 173 40128a 172->173 173->173 174 401293 VirtualAlloc 173->174 174->174 175 4012aa CreateFileW 174->175 177 401331 ReadFile 175->177 178 4017f9 175->178 180 401378 177->180 181 401380 CreateFileW 180->181 185 40140d 180->185 181->178 182 4013b6 WriteFile 181->182 183 4013d3 ShellExecuteW ExitProcess 182->183 185->178 186 4017a8 SetEnvironmentVariableW 185->186 186->185 187 40101d 188 401026 GetComputerNameW 187->188 190 4010d6 188->190

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00401160 1 Function_00401141 2 Function_00401001 3 Function_00401278 3->1 4 Function_0040126B 4->3 5 Function_0040114C 6 Function_0040101D

    Executed Functions

    Function 00401992, Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 375librarystringloaderCOMMON
    APIs
    • lstrcmpA.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401122
    • SetErrorMode.KERNEL32(*%Q@), ref: 0040190B
    • FileTimeToSystemTime.KERNEL32(00405C89,00405C91), ref: 00401940
    • TlsGetValue.KERNEL32 ref: 004019D8
    • lstrcmp.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401A50
    • SetErrorMode.KERNEL32 ref: 00401AC3
    • lstrcmpiA.KERNEL32(iymyivqsw,iymyivqsw), ref: 00401AED
    • SleepEx.KERNELBASE(000003E8,00000000,00000007), ref: 00401B85
    • GetModuleHandleW.KERNEL32(kernel32.DLL), ref: 00401C21
    • GetProcAddress.KERNEL32(00000000,WriteProcessMemory,00000000,HeapCreate,00000000,LoadLibraryA), ref: 00401CF8
    • GetProcAddress.KERNEL32 ref: 00401D36
    • GetProcAddress.KERNEL32 ref: 00401D8A
    • LoadLibraryA.KERNEL32(jscript.DLL), ref: 00401DD7
    • GetEnvironmentVariableA.KERNEL32(ldlaivqxuju,vonrjrzk,00000008,00000000), ref: 00401E05
    • SetEnvironmentVariableW.KERNEL32(hqedcpekvgn,mvmpnewbmhkc), ref: 00401E20
    • SetErrorMode.KERNELBASE ref: 00401E30
    • WriteProcessMemory.KERNELBASE(000000FF,0040550D,?,00000004,00000000), ref: 00401EB3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.282333544.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.282306447.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000001.282340695.0000000000404000.00000002.sdmp
    • Associated: 00000001.00000001.282347015.0000000000405000.00000004.sdmp
    • Associated: 00000001.00000001.282353100.0000000000406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: AddressErrorModeProc$EnvironmentTimeVariablelstrcmp$FileHandleLibraryLoadMemoryModuleProcessSleepSystemValueWritelstrcmpi
    • String ID: *%XQ@$*%Q@$HeapCreate$LoadLibraryA$WriteProcessMemory$fmtmtzlnik$fmtmtzlnik$hqedcpekvgn$iymyivqsw$iymyivqsw$jscript.DLL$kernel32.DLL$ldlaivqxuju$mvmpnewbmhkc$vonrjrzk
    • API String ID: 4170950412-42106266
    • Opcode ID: bf8d9cc17a22e21912af0f4124ca2e24b0fdba057cedbd66cd03695f70c3f77e
    • Instruction ID: ff4db53fbc01b8ef9426781628ac5c2b9e9970a2a0ab0925e8b854bc9001a1ca
    • Opcode Fuzzy Hash: bf8d9cc17a22e21912af0f4124ca2e24b0fdba057cedbd66cd03695f70c3f77e
    • Instruction Fuzzy Hash: 03F14732909B508FD300DB34EE99B5B3BB1EB51724B09823AD591BA2F6D7781944CF8D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040199D, Relevance: 49.3, APIs: 14, Strings: 14, Instructions: 302librarystringloaderCOMMON
    APIs
    • lstrcmpA.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401122
    • SetErrorMode.KERNEL32(*%Q@), ref: 0040190B
    • FileTimeToSystemTime.KERNEL32(00405C89,00405C91), ref: 00401940
    • TlsGetValue.KERNEL32 ref: 004019D8
    • lstrcmp.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401A50
    • SetErrorMode.KERNEL32 ref: 00401AC3
    • lstrcmpiA.KERNEL32(iymyivqsw,iymyivqsw), ref: 00401AED
    • SleepEx.KERNELBASE(000003E8,00000000,00000007), ref: 00401B85
    • GetModuleHandleW.KERNEL32(kernel32.DLL), ref: 00401C21
    • GetProcAddress.KERNEL32(00000000,WriteProcessMemory,00000000,HeapCreate,00000000,LoadLibraryA), ref: 00401CF8
    • GetProcAddress.KERNEL32 ref: 00401D36
    • GetProcAddress.KERNEL32 ref: 00401D8A
    • LoadLibraryA.KERNEL32(jscript.DLL), ref: 00401DD7
    • GetEnvironmentVariableA.KERNEL32(ldlaivqxuju,vonrjrzk,00000008,00000000), ref: 00401E05
    • SetEnvironmentVariableW.KERNEL32(hqedcpekvgn,mvmpnewbmhkc), ref: 00401E20
    • SetErrorMode.KERNELBASE ref: 00401E30
    • WriteProcessMemory.KERNELBASE(000000FF,0040550D,?,00000004,00000000), ref: 00401EB3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.282333544.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.282306447.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000001.282340695.0000000000404000.00000002.sdmp
    • Associated: 00000001.00000001.282347015.0000000000405000.00000004.sdmp
    • Associated: 00000001.00000001.282353100.0000000000406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: AddressErrorModeProc$EnvironmentTimeVariablelstrcmp$FileHandleLibraryLoadMemoryModuleProcessSleepSystemValueWritelstrcmpi
    • String ID: *%XQ@$HeapCreate$LoadLibraryA$WriteProcessMemory$fmtmtzlnik$fmtmtzlnik$hqedcpekvgn$iymyivqsw$iymyivqsw$jscript.DLL$kernel32.DLL$ldlaivqxuju$mvmpnewbmhkc$vonrjrzk
    • API String ID: 4170950412-1825959817
    • Opcode ID: 16fb50c4b9d5e7b1e36c9ae8e8588a5a40a857d742212b3335f81ac95d3d0503
    • Instruction ID: c7722d725683b8c21d72662331b1226b248479af832e5c13e3fb5e5069d67d34
    • Opcode Fuzzy Hash: 16fb50c4b9d5e7b1e36c9ae8e8588a5a40a857d742212b3335f81ac95d3d0503
    • Instruction Fuzzy Hash: B0D14672909B508BE304DB34EE99B5B3BB1EB51724B08823AD491BA1F5E7781944CF8D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401496, Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 296timestringCOMMON
    APIs
    • TlsGetValue.KERNEL32 ref: 004014C1
    • GetPrivateProfileIntW.KERNEL32 ref: 0040154F
    • SetEnvironmentVariableW.KERNEL32(hqedcpekvgn,mvmpnewbmhkc), ref: 004015B8
    • FileTimeToSystemTime.KERNEL32(00405C89,00405C91), ref: 0040162C
    • TlsGetValue.KERNEL32 ref: 00401665
    • SetEnvironmentVariableW.KERNEL32(hqedcpekvgn,mvmpnewbmhkc), ref: 004016C8
    • TlsGetValue.KERNEL32 ref: 00401731
    • SetEnvironmentVariableW.KERNELBASE(hqedcpekvgn,mvmpnewbmhkc), ref: 004017AA
    • lstrcmpiA.KERNEL32(iymyivqsw,iymyivqsw), ref: 004017D2
    • FileTimeToSystemTime.KERNEL32(00405C89,00405C91), ref: 00401860
    • lstrcmpiA.KERNEL32(iymyivqsw,iymyivqsw), ref: 00401885
    • SetErrorMode.KERNEL32(*%Q@), ref: 0040190B
    • FileTimeToSystemTime.KERNEL32(00405C89,00405C91), ref: 00401940
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.282333544.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.282306447.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000001.282340695.0000000000404000.00000002.sdmp
    • Associated: 00000001.00000001.282347015.0000000000405000.00000004.sdmp
    • Associated: 00000001.00000001.282353100.0000000000406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: Time$EnvironmentFileSystemValueVariable$lstrcmpi$ErrorModePrivateProfile
    • String ID: *%Q@$hqedcpekvgn$ishueinxvfhblayn$iymyivqsw$iymyivqsw$kltjziry$mvmpnewbmhkc$ulbitvgjhqsnlryi
    • API String ID: 2290057239-579445202
    • Opcode ID: db0902c1b08c7b8e3daedce1f72d5154196078a58ef8ee8cc5c0b9f70adfcd34
    • Instruction ID: d40c6ab39655ceda6255896187b832a112cdb51913e5b5daef9eee3102e7399f
    • Opcode Fuzzy Hash: db0902c1b08c7b8e3daedce1f72d5154196078a58ef8ee8cc5c0b9f70adfcd34
    • Instruction Fuzzy Hash: 51D15932909B808FD3059B78EE59B0B3B71FB52714B19427AD591BA2F2D7781804CF8E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401278, Relevance: 13.5, APIs: 8, Instructions: 1530filememoryCOMMON

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 401278-401288 1 40128a-401291 0->1 1->1 2 401293-4012a8 VirtualAlloc 1->2 2->2 3 4012aa-40132b CreateFileW 2->3 10 401331-40137a ReadFile 3->10 11 4017f9-401fff 3->11 16 401380-4013b0 CreateFileW 10->16 17 40140d-40142e 10->17 16->11 19 4013b6-401407 WriteFile ShellExecuteW ExitProcess 16->19 18 40142f-401432 17->18 18->18 20 401434-401451 18->20 24 401456-40145f 20->24 27 401471-401489 24->27 28 401461-40146f 24->28 33 40148b-4014dd call 401141 27->33 28->24 28->27 40 4014df-4014e7 33->40 42 4014e9-4014eb 40->42 43 4014ed-4014f8 40->43 42->43 44 4014f9-401506 42->44 43->44 44->40 46 401508-40150b 44->46 47 40150e-401518 46->47 48 401526-40152f 47->48 49 40151a-401524 47->49 48->47 52 401531-401536 48->52 49->48 53 401544-401549 52->53 54 401538-401541 52->54 55 401557 53->55 56 40154b-401554 53->56 54->53 58 40155c-40157f 55->58 56->55 63 401581-401582 58->63 64 401586-40158b 58->64 63->58 65 401584 63->65 66 401590-4015b6 64->66 65->47 70 4015c0-4015c5 66->70 71 4015b8-4015b9 66->71 73 4015ca-4015d9 70->73 71->66 72 4015bb 71->72 72->47 75 4015e3-4015fc 73->75 76 4015db-4015dc 73->76 78 401601-401613 75->78 76->73 77 4015de 76->77 77->47 80 401650-40165a 78->80 81 401615-401619 78->81 80->47 83 401660-40166f 80->83 81->80 82 40161b-401625 81->82 82->80 84 401627-401628 82->84 85 401675-40169d 83->85 86 40170c-4017d3 SetEnvironmentVariableW 83->86 84->78 87 40162a-40163f 84->87 92 4016a0-4016a9 85->92 113 4017d6-4017da 86->113 89 401641-401644 87->89 90 40164b 87->90 89->90 90->47 92->92 93 4016ab-4016de 92->93 97 4016e0-4016f5 93->97 98 401706-401709 93->98 100 401701 97->100 101 4016f7-4016fa 97->101 98->86 100->47 101->100 114 4017e4-4017e7 113->114 115 4017dc-4017e2 113->115 116 4017e9 114->116 117 4017ea-4017ee 114->117 115->114 116->117 117->113 118 4017f0-4017f3 117->118 118->11 118->47
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00A6EE60,00001000,00000004), ref: 004012A0
    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401322
    • ReadFile.KERNELBASE(?,?,?,?,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401366
    • CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013A8
    • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013C4
    • ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013FF
    • ExitProcess.KERNELBASE(00000000,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401407
    • SetEnvironmentVariableW.KERNELBASE(00000000), ref: 004017B0
    Memory Dump Source
    • Source File: 00000001.00000002.300513305.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.300505361.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000002.300520829.0000000000402000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: File$Create$AllocEnvironmentExecuteExitProcessReadShellVariableVirtualWrite
    • String ID:
    • API String ID: 2953804138-0
    • Opcode ID: 24b907354ff55cde0d579dd94234a169b6856afafdb3dcb319c5f22e431b83a9
    • Instruction ID: ec1c54a07be2e3d0f5f4ce7161c8ed54dd5d193bdda41cc3ea6a24ececc9dab7
    • Opcode Fuzzy Hash: 24b907354ff55cde0d579dd94234a169b6856afafdb3dcb319c5f22e431b83a9
    • Instruction Fuzzy Hash: 0E024F71A00214AFEF149FA8CC49BEEBBB9FF48311F144179F909EB291DA749D418B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040101D, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 119 40101d-401043 121 401045-401047 119->121 122 40104a-40104d 121->122 123 401058-401084 122->123 124 40104f-401054 122->124 127 401085-40108c 123->127 124->122 125 401056 124->125 125->121 127->127 128 40108e-4010d2 GetComputerNameW 127->128 131 4010d6-40110c 128->131 134 40111a-401122 131->134 135 40110e-401118 131->135 136 401124-401134 134->136 137 401136-401140 134->137 135->134 136->137
    APIs
    • GetComputerNameW.KERNEL32(00000000,?), ref: 004010BF
    Memory Dump Source
    • Source File: 00000001.00000002.300513305.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.300505361.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000002.300520829.0000000000402000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: ComputerName
    • String ID:
    • API String ID: 3545744682-0
    • Opcode ID: 5cfafb86fb150ef256dbbf0976cc62a29c7aba25a3c80d9efd8b766aac9a54dc
    • Instruction ID: fec0bbfb7cb5f5c9ff93f0aba7c4af0fb98ed251eecd6fb6de04687b49c31075
    • Opcode Fuzzy Hash: 5cfafb86fb150ef256dbbf0976cc62a29c7aba25a3c80d9efd8b766aac9a54dc
    • Instruction Fuzzy Hash: D831B075D10514AFEB50CEBC88453CABBF1BB8D351F618575EA59E7340EA3889839F20
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00401000, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92stringCOMMON
    APIs
    • lstrcmpA.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401021
    • SetErrorMode.KERNEL32(00000000), ref: 00401090
    • TlsGetValue.KERNEL32 ref: 004010A7
    • lstrcmpA.KERNEL32(fmtmtzlnik,fmtmtzlnik), ref: 00401122
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.282333544.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.282306447.0000000000400000.00000002.sdmp
    • Associated: 00000001.00000001.282340695.0000000000404000.00000002.sdmp
    • Associated: 00000001.00000001.282347015.0000000000405000.00000004.sdmp
    • Associated: 00000001.00000001.282353100.0000000000406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_XgkKQZc74T.jbxd
    Similarity
    • API ID: lstrcmp$ErrorModeValue
    • String ID: fmtmtzlnik$fmtmtzlnik
    • API String ID: 2638482360-2669483748
    • Opcode ID: 2d213de28b311043a79f05be381ceaa18924e7f2ecb7aa2fc03d8efbe3c851c2
    • Instruction ID: b51ddf07b4b8676b2cf28c80a3e3f06f71eacdf4e5d5910042dc1e4b2077183c
    • Opcode Fuzzy Hash: 2d213de28b311043a79f05be381ceaa18924e7f2ecb7aa2fc03d8efbe3c851c2
    • Instruction Fuzzy Hash: 20412E3294DB808FD701DB74EE5864A3B72EF56710B0942BAC1C1AB1F6D6380849CF8E
    Uniqueness

    Uniqueness Score: -1.00%